hawkes exploiting native client v1 · “native client is an open-source research technology for...
TRANSCRIPT
![Page 1: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/1.jpg)
EXPLOITING NATIVE CLIENT
- BEN HAWKES
hacking at random 2009
![Page 2: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/2.jpg)
THE INTRODUCTION
• ben
![Page 3: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/3.jpg)
THE INTRODUCTION
• ben
• + mark
![Page 4: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/4.jpg)
![Page 5: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/5.jpg)
THE INTRODUCTION
• ben
• + mark
• = beached as
![Page 6: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/6.jpg)
THE INTRODUCTION
“Native Client is an open-source research technology for running x86 native code in web
applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps.”
![Page 7: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/7.jpg)
THE INTRODUCTION
“Native Client is an open-source research technology for running x86 native code in web
applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps.”
• x86 code delivered to client browser from remote server (web app)
• this code must work on any browser on any OS
• and be run in such a way that is “secure”
![Page 8: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/8.jpg)
THE INTRODUCTION
Schedule:
• technical kung-fu
• some speculative corporate analysis
• parting remarks + questions/discussion
![Page 9: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/9.jpg)
TECH
![Page 10: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/10.jpg)
THE GOAL
Motivation:
break the native client security model
![Page 11: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/11.jpg)
THE GOAL
Motivation:
break the native client security model
but what is the security model?
![Page 12: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/12.jpg)
THE METHOD
The Common Sense Methodology:
- understand the design
- understand the code
- audit
- test
- audit
- test
- ….
![Page 13: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/13.jpg)
NATIVE CLIENT TECHNOLOGY
![Page 14: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/14.jpg)
NATIVE CLIENT TECHNOLOGY
![Page 15: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/15.jpg)
![Page 16: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/16.jpg)
HOW STUFF WORKS
1. Disassemble binary, invalidate (exit!) on “dangerous” instructions
2. Invalidate on instructions straddling blocks (i.e. block unaligned)
3. For indirect branches, ensure block alignment primitive used on target
4. Record list of properly aligned “valid” branch targets
5. Restart disassembly from start to check all branches hit valid targets
![Page 17: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/17.jpg)
HOW STUFF REALLY WORKS
The validator comes down to this:
- if your instructions are good
- and you branch to instructions
then its all good mate
![Page 18: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/18.jpg)
INITIAL ATTACKS
An initial attack surface:
- browser plugin
- binary loader
- nexe validator
- runtime services
![Page 19: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/19.jpg)
CODE
Native client is C/C++
this is essentially required
“its like 1999”
![Page 20: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/20.jpg)
CODE
Native client is C/C++
this is essentially required
“its like 1999”
DEMONSTRATION!
![Page 21: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/21.jpg)
Beached As founds bugs in:
- validator
- syscall
- imc
- browser plugin
THE BUGS
![Page 22: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/22.jpg)
1
SRPC Shared Memory Infoleak /
Memory Corruption
browser plugin integer overflow
visit a website ------->
arbitrary code execution in your browser
![Page 23: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/23.jpg)
![Page 24: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/24.jpg)
2
SRPC Type Confusion Memory
Corruption Attack
plugin compromise
classic dowd
...
![Page 25: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/25.jpg)
![Page 26: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/26.jpg)
![Page 27: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/27.jpg)
![Page 28: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/28.jpg)
![Page 29: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/29.jpg)
![Page 30: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/30.jpg)
3
2-byte Jump Operand Prefix
Vulnerability
validator disassembler logic flaw
i386 instruction prefixes
“modify” instruction that follows
![Page 31: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/31.jpg)
3
Nacl validator checked prefix for 1-byte branches
![Page 32: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/32.jpg)
3
Nacl validator checked prefix for 1-byte branches
… but there exist 2-byte branches
![Page 33: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/33.jpg)
3
Nacl validator checked prefix for 1-byte branches
… but there exist 2-byte branches
“conditional jumps”
modify code segment of a jCC
= jump anywhere into service runtime!
![Page 34: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/34.jpg)
4
Direction Flag Sandbox Bypass
validator logic flaw …
leads to mem corruption in service runtime
code exec in runtime process!
![Page 35: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/35.jpg)
4
EFLAGS register = flags (mostly status)
Contains a direction flag (DF)
– can set from inside inner sandbox
– but is NOT cleared when nexe trampolines to service runtime ...
![Page 36: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/36.jpg)
4
Welcome to the Bizarro World
That memcpy you thought was going forwards?
Not so much.
![Page 37: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/37.jpg)
4
Welcome to the Bizarro World
That memcpy you thought was going forwards?
Not so much.
“setting the DF flag causes string instructions to auto-decrement”
![Page 38: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/38.jpg)
5
Native Client Memory Unmapping
Vulnerability
runtime services fail
syscalls
- munmap
- mmap
![Page 39: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/39.jpg)
5
Native Client Memory Unmapping
Vulnerability
runtime services fail
syscalls
- munmap
- mmap
![Page 40: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/40.jpg)
![Page 41: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/41.jpg)
![Page 42: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/42.jpg)
![Page 43: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/43.jpg)
![Page 44: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/44.jpg)
![Page 45: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/45.jpg)
WHAT ELSE?
• ELF is hard; loader bugs
• Side channels.. I guess
• CPU erratta
Remote hardware exploits
• Inter-module exploitation
![Page 46: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/46.jpg)
questions?
Q?
Q? Q?
![Page 47: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/47.jpg)
THE HARD STUFF ($)
![Page 48: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/48.jpg)
REALITY
I have a question.
Can native client win?
![Page 49: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/49.jpg)
REALITY
I have a question.
Can native client win?
Technically, commercially
![Page 50: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/50.jpg)
TARGET
Confused target audience?
Not with Chrome OS
Chrome OS = context for everything
![Page 51: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/51.jpg)
![Page 52: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/52.jpg)
![Page 53: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/53.jpg)
THE COMPETITION
Microsoft’s Steve Ballmer on Chrome OS:
"The last time I checked you don't need two client operating systems.”
“There’s good data that actually says about 50% of the time someone is on their PC they’re not doing something in the web browser”
![Page 54: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/54.jpg)
THE COMPETITION
CONCLUSION:
google should be very worried about
amazon
![Page 55: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/55.jpg)
TECH = $
Technical limitations:
no 64-bit (do you care?)
slightly decreased performance
* we will find more bugs *
![Page 56: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/56.jpg)
TECH = $
API/syscall “outer sandbox” limitations
What is an NEXE allowed to do?
Not much? No killer apps.
Too much? No security.
![Page 57: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/57.jpg)
TECH = $
“The inability to deliver a secure implementation is an architectural flaw.”
- Dave Aitel, Immunity kingpin
Everyone welcome Native Client to the “Advisory Treadmill”.
![Page 58: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/58.jpg)
THE TARGET
Beware of alienating target audience with security considerations
Google Omaha ++
Defense in depth is REQUIRED
![Page 59: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/59.jpg)
THE POINT
Everyone has the “implementation problem”
The inner sandbox is not yet broken
Native Client + Chrome OS “makes sense”
![Page 60: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/60.jpg)
sshhh.. someone might hear
ok, this is my tentative endorsement that, yes, native client could actually win ***
*** but only if they lock tavis ormandy in a room for a year or two
… and im worried about that outer sandbox, so er, you should be too
![Page 61: hawkes exploiting native client v1 · “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser](https://reader034.vdocuments.mx/reader034/viewer/2022042805/5f665ddc8e510d32bf3f8478/html5/thumbnails/61.jpg)
THE END
thanks
twitter.com/benhawkes