This will definitely come in handy later once we start to exploit the higher exception levels.Some patterns are not quite easy but familiar, navigable, manageable, but others require such delicacy and precision that I almost never survive. On line 34 we find a physical memory map definition. So how do we separate out the individual stages from the single BIOS image? Let’s read the provided qemu.patch file for We are given bios.bin – a 803KB file that contains all of the executable code and data for the 6 challenges. In BIOS mode, the first instruction executed is up to the developer. Kernel, but QEMU provides the initial BIOS setup routine. Kernel mode requires a guest architecture When user mode is specified, system calls are emulated by QEMU and no kernel is required. When QEMU is used to emulate machines, there are a few modes of operation: user mode only, kernel mode, or BIOS mode. Keep that reference manual 1 handy! Digging into bios.bin With the preliminaries out of the way, let’s begin the journey by examining the bios.bin file. If you are already familiar with ARMv7, I highly recommend you check out these slides, which remap many ARMv7 concepts to ARMv8. Super Hexagon was based partially on this trusted firmware but greatly simplified. This is part of the reason ARM provides a trusted firmware reference implementation. The ELs and the transition points between them are summarized by the diagram below:Īs you can imagine, this is all pretty complicated to program, let alone securely. Points in the processor’s execution in order to switch ELs or processor modes. Supervisor Call, Hypervisor Call, and Secure Monitor Call. These traps are caused by the svc, hvc, and smc instructions a.k.a. These can occur asynchronously from the CPU, usually from a peripheral or timer, or synchronouslyįrom an instruction trap. ELs and secure versus non-secure modes are changed Only be executing in one mode or another. This is the basis ofĪRM TrustZone and has been for over a decade. Platform, these may differ slightly, but for Super Hexagon, they are standard.Įach exception level, except EL2, has a secure or non-secure mode. EL0 is user mode, EL1 the supervisor,ĮL2 typically the hypervisor, and E元 the trusted firmware or secure monitor. There are four numbered exception levels: EL0, EL1, EL2, and E元. Instead of 16 general purpose registers, AA64 doubles it to 32.įrom the systems programmer perspective, the privilege model has been simplified to Exception Levels (EL). AArch64 Preliminariesīefore we dive deeper into the challenge, let me talk a bit about the AArch64 architecture.ĪA64 is a 64-bit re-imagining of the ARM architecture and has changed significantly in many ways.įrom the programmer’s perspective, all instructions are fixed to 4-bytes, with the 2-byte Thumb modelĬompletely removed. It’s time to understand what the application is actually doing behind the scenes and to search for flaws we can exploit. It looks like the application performs some basic assertions to protect against out of bounds indexes. Load_key: failed (tci_msg: assert(index < DB_NUM & secure_db.value)) Load_key: failed (tci_msg: assert(index 0 Save_key: failed (tci_msg: assert(index 1 Then I simply connected to the remote service using netcat on my local machine: To avoid using Docker (for easy testing and debugging later) and ran it using nc -e and a bash while true loop to simulate xinetd. Instead, I transferred the challenge tar to a well-provisioned remote server for further testing. I attempted to run the BIOS image using QEMU on my Ubuntu 16.04 VM, but I needed at least 3 GB of free memory (the machine type only works with exactly 3 GB). The challenge files included a custom QEMU image with a new Super Hexagon specific machine type, QEMU patch files, a BIOS image, some placeholder flags, and a run script. They also linked to the 6,666 page ARMv8 Reference Manual, 1Īnd included a tar.xz file with the challenge files. Want to try and solve some parts yourself? Here is the archive: super_ When scanning through the problems, I quickly latched on to the Super Hexagon challenge once I heard it involved ARM exploitation. For this year’s HITCON CTF, I played with my academic team, Kernel Sanders. Welcome to a journey of AArch64 kernel exploitation, from the least privileged, to the most secure privilege level on the ARMv8 platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |