メルトダウン-プロセスメモリデータの読み取り
このPoCを試しました:
https://github.com/mniip/spectre-meltdown-poc
これはsys_call_tableで機能します。
Syscall sys_readアドレスを読み取ることができました。
メモリの値を読み取るサンプルプログラムでテストしたかったのですが、この場合は機能しません。誰かアイデアはありますか?値は00と表示され、動作がはるかに遅くなります。
./pass
Password : secret
addr 0x7ffc9098b780
./poc 7ffc9098b780
cutoff: 96
0x7ffc9098b780 | 00 00 00 00 00 00 00 00 00 1.006466362648e-25 00
pass.c
#include <stdio.h>
int main(void) {
char buf[7];
printf("Password : ");
fgets(buf, 7, stdin);
sscanf(buf, "%s", buf);
printf("addr %p\n",buf);
while(1)
{
}
printf("Password : %s\n",buf);
return 0;
}
おかげで、
更新1:
ユーザースペースから仮想アドレスから物理アドレスを取得するこのプログラムを見つけました:
https://github.com/dwks/pagemap
出力:
./pagemap2 18135
=== Maps for pid 18135
0x400000 : pfn 0 soft-dirty 1 file/shared 1 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x600000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x601000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x206a000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [heap]
0x206b000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206c000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206d000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206e000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206f000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2070000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2071000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2072000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2073000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2074000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2075000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2076000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2077000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2078000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2079000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207a000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207b000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207c000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207d000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207e000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207f000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2080000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2081000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2082000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2083000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2084000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2085000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2086000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2087000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2088000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2089000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x208a000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x7f27b2365000 : pfn 0 soft-dirty 1 file/shared 1 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b253d000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b253e000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b253f000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b2563000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b2564000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b2565000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2566000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2567000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7ffe2498c000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498d000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498e000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498f000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24990000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24991000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24992000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24993000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24994000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24995000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24996000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24997000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24998000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24999000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499a000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499b000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499c000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499d000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499e000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499f000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a0000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a1000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a2000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a3000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a4000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a5000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a6000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a7000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a8000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a9000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249aa000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ab000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249ac000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ca000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cb000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cc000 : pfn 0 soft-dirty 1 file/shared 1 swapped 0 present 1 library [vdso]
0x7ffe249cd000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [vdso]
スタックのどこにある「秘密」の文字列はどこにありますか?どの物理アドレスを試すべきですか?
おかげで、
Linuxでは、アドレス空間のカーネルの半分(0x8000000000000000より上のすべてのアドレス)は、アプリケーション間で一定です。 grepを使用してシステムコールテーブルのアドレスを検索した場合、そのアドレスはpocがその内容を探しているときにも有効です。
一方、アドレス空間のユーザーの半分は、プロセスごとに一意です。 pocを0x7ffc9098b780に向けると、pocの0x7ffc9098b780ではなく、passの0x7ffc9098b780のコンテンツを取得するように求められます。
Meltdownを使用してpassのメモリの内容を読み取る場合は、おもちゃの概念実証よりもはるかに複雑になります。どの物理メモリアドレスがpassの仮想アドレス0x7ffc9098b780に対応するかを調べ、カーネルの物理アドレススペースのマッピングを調べ、物理メモリの適切な部分を読み取る必要があります。