Spoiler, Use-After-Free, And Ghidra: This Week In Computer Security
The past few days have been busy if you’re trying to keep up with the pace of computer security news. Between a serious Chromium bug that’s actively being exploited on Windows 7 systems, the NSA releasing one of their tools as an open source project, and a new Spectre-like speculative execution flaw in Intel processors, there’s a lot to digest.
Intel’s Spoiler
To discuss “Spoiler” let’s do a quick refresher on how we got here. Speculative Execution is a staple of modern processors, allowing code to be executed out of order, and caching the results until needed. Instructions Per Cycle (IPC) has become an important metric as clock speed has stalled out at the 5 GHz barrier. Speculative Execution was dealt a blow when Spectre and Meltdown were announced. The essence of both attacks is that speculative execution has discernible effects. Try to access something you shouldn’t be allowed to see, and with some clever timing attacks against the cache, the protected data is leaked to another process.
Rowhammer is an attack against a machine’s physical memory. Modern memory only holds state for a limited period of time, and needs to be refreshed several times a second. It turns out that flipping nearby bits can cause that state to degrade more quickly. The Rowhammer exploit rapidly flips specific bits in order to affect neighboring ram, even if those memory addresses belong to different processes. It can change data in places that should be protected. One of the mitigations for Rowhammer is that the attacking process needs to understand the physical memory layout. There are various techniques that hide how a process’s memory is mapped to the physical layout, like Kernel Address Space Layout Randomization (KASLR).
Spoiler is a new abuse of speculative execution that leaks information about the physical memory layout, enabling much quicker Rowhammer attacks. The Register was the first to pick up on this story. Intel processors have a memory management system that allows speculative execution of memory load and store commands. The researchers realized that in certain cases, the delay in memory operations leaks enough information about the physical layout to perform a Rowhammer attack. They demonstrate a Rowhammer attack from an unprivileged user, and even from within a Javascript sandbox.
National Security and Ghidra
The National Security Agency (NSA) is no stranger to Open Source, as ironic as that thought may be. They developed and released Security Enhanced Linux (SELinux), as well as SEAndroid. Ghidra was first “announced” rather unintentionally, as it was repeatedly mentioned in the Vault 7 leak on Wikileaks. It’s a reverse engineering tool-kit, supporting many architectures and running on Linux, OSX, and Windows. The NSA officially announced Ghidra as a new open source project at the 2019 RSA conference.
The code has yet to be released, but the binaries are available and the full source code will be released as soon as possible. The NSA promises the binaries aren’t backdoored. On a totally unrelated note, running Ghidra in debug mode opens port 18001 to all network interfaces, allowing remote code execution. While suspicion and jokes have abounded, the quality of Ghidra seems quite high, and commercial reverse engineering tool-kits are priced out of the budget of many of us. We look forward to the release of the full source code, and taking advantage of this new tool.
Chromium, Windows 7, and Use-after-free
Use-after-free is a class of memory management vulnerability. When a program allocates memory for a data structure, that memory is reserved and the program uses a pointer to access what is stored there. Once the allocation is no longer needed, the memory is freed. What happens, then, if the program tries to access the memory after freeing it? Once the memory is released, any other process could be assigned that memory. An attacker can attempt to allocate the same physical memory location once it has been freed. When the vulnerable program tries to access the freed memory, it’s reading the attacker’s payload.
Chromium contained a Use-after-free bug in the file_reader_loader routines. Multiple references to a single data structure were unintentionally available, and not all those references were deleted when the data was freed. Google has fixed the issue in Chromium, and released a statement linking the Chromium vulnerability to a Windows kernel vulnerability. It seems that these two problems are actively being exploited in tandem to achieve remote code execution and privilege escalation.
Google took the unusual step of recommending that users of Windows 7 upgrade to Windows 10, as the security features of the newer Windows release seemed to prevent exploitation. As support for Windows 7 fully ends January of 2020, the hands of time are slowly ticking toward the inevitable demise of Windows 7.
See some exciting security news we should be covering? Head over to the tip line and let us know!
Gloss