Google Online Security Blog: January 2018

\n\n\n","00002b func[0]:\n00002d: 41 2a | i32.const 42\n00002f: 0b | end\n000030 func[1]:\n000032: 10 00 | call 0\n000034: 41 01 | i32.const 1\n000036: 6a | i32.add\n000037: 0b | end\n","TOCTOU"," (func $leak(param i32 i32 i32 i32 i32 i32)(result i32)\n i32.const 0\n get_local 0\n i32.store\n i32.const 4\n get_local 1\n i32.store\n i32.const 8\n get_local 2\n i32.store\n i32.const 12\n get_local 3\n i32.store\n i32.const 16\n get_local 4\n i32.store\n i32.const 20\n get_local 5\n i32.store\n i32.const 0\n ))\n","/*Text format of funcx*/\n (func $simple6 (param i32 i32 i32 i32 i32 i32 ) (result i32)\n get_local 5\n get_local 4\n i32.add)\n/*Disassembly code of funcx*/\n--- Code ---\nkind = WASM_FUNCTION\nname = wasm#1\ncompiler = turbofan\nInstructions (size = 20)\n0x58f87600 0 8b442404 mov eax,[esp+0x4]\n0x58f87604 4 03c6 add eax,esi\n0x58f87606 6 c20400 ret 0x4\n0x58f87609 9 0f1f00 nop\nSafepoints (size = 8)\nRelocInfo (size = 0)\n--- End code ---\n","/*Disassembly code of JS_TO_WASM function */\n--- Code ---\nkind = JS_TO_WASM_FUNCTION\nname = js-to-wasm#0\ncompiler = turbofan\nInstructions (size = 170)\n0x4be08f20 0 55 push ebp\n0x4be08f21 1 89e5 mov ebp,esp\n0x4be08f23 3 56 push esi\n0x4be08f24 4 57 push edi\n0x4be08f25 5 83ec08 sub esp,0x8\n0x4be08f28 8 8b4508 mov eax,[ebp+0x8]\n0x4be08f2b b e8702e2bde call 0x2a0bbda0 (ToNumber) ;; code: BUILTIN\n0x4be08f30 10 a801 test al,0x1\n0x4be08f32 12 0f852a000000 jnz 0x4be08f62 <+0x42>\n","The EoP Bug (CVE-2017-14904)","gralloc_map","gralloc_unmap","static int gralloc_map(gralloc_module_t const* module,\n buffer_handle_t handle)\n{ ……\n private_handle_t* hnd = (private_handle_t*)handle;\n ……\n if (!(hnd->flags & private_handle_t::PRIV_FLAGS_FRAMEBUFFER) &&\n !(hnd->flags & private_handle_t::PRIV_FLAGS_SECURE_BUFFER)) {\n size = hnd->size;\n err = memalloc->map_buffer(&mappedAddress, size,\n hnd->offset, hnd->fd); //---> mapped an ashmem and get the mapped address. the ashmem fd and offset can be controlled by Chrome render process.\n if(err || mappedAddress == MAP_FAILED) {\n ALOGE(\"Could not mmap handle %p, fd=%d (%s)\",\n handle, hnd->fd, strerror(errno));\n return -errno;\n }\n hnd->base = uint64_t(mappedAddress) + hnd->offset; //---> save mappedAddress+offset to hnd->base\n } else {\n err = -EACCES;\n}\n……\n return err;\n}\n","static int gralloc_unmap(gralloc_module_t const* module,\n buffer_handle_t handle)\n{\n ……\n if(hnd->base) {\n err = memalloc->unmap_buffer((void*)hnd->base, hnd->size, hnd->offset); //---> while unmapping, hnd->offset is not used, hnd->base is used as the base address, map and unmap are mismatched.\n if (err) {\n ALOGE(\"Could not unmap memory at address %p, %s\", (void*) hnd->base,\n strerror(errno));\n return -errno;\n }\n hnd->base = 0;\n}\n……\n return 0;\n}\nint IonAlloc::unmap_buffer(void *base, unsigned int size,\n unsigned int /*offset*/) \n//---> look, offset is not used by unmap_buffer\n{\n int err = 0;\n if(munmap(base, size)) {\n err = -errno;\n ALOGE(\"ion: Failed to unmap memory at %p : %s\",\n base, strerror(errno));\n }\n return err;\n}\n","52neverallow isolated_app {\n53 service_manager_type\n54 -activity_service\n55 -display_service\n56 -webviewupdate_service\n57}:service_manager find;\n","A Way of Breaking Chrome's Sandbox in Android","Bitunmap","7f54600000-7f54800000 rw-p 00000000 00:00 0 [anon:libc_malloc]\n7f58000000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)\n7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)\n7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)\n7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)\n7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)\n......\n","7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)\n7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]\n//--->There is a 2MB memory gap\n7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)\n7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)\n7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)\n7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)\n7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)\n","7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)\n7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]\n7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted) \n//--->The gap is filled with the ashmem memory 360alpha1001\n7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)\n7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)\n7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)\n7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)\n7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)\n","7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)\n7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]\n7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted)\n//--->the heap manager believes the memory range from 0x7f547ff000 to 0x7f54800000 is still mongered by it and will allocate memory from this range, result in heap data is written to ashmem memory\n7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)\n7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)\n7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)\n7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)\n7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)\n","GraphicBuffer","typedef struct android_native_base_t\n{\n /* a magic value defined by the actual EGL native type */\n int magic;\n /* the sizeof() of the actual EGL native type */\n int version;\n void* reserved[4];\n /* reference-counting interface */\n void (*incRef)(struct android_native_base_t* base);\n void (*decRef)(struct android_native_base_t* base);\n} android_native_base_t;\n","Summary","December 2017 Security Update","\n\nLabels:\n\n\n\nandroid security\n\n\n","\nMore details about mitigations for the CPU Speculative Execution issue\n","\nJanuary 4, 2018\n","Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager","detailed technical information","Retpoline","Speculative Execution and the Three Methods of Attack","post","Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.","Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.","Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections - check with your vendor for specifics.","Mitigation","\nVariant 1: bounds check bypass (CVE-2017-5753)","This attack variant allows malicious code to circumvent bounds checking features built into most binaries. Even though the bounds checks will still fail, the CPU will speculatively execute instructions after the bounds checks, which can access memory that the code could not normally access. When the CPU determines the bounds check has failed, it discards any work that was done speculatively; however, some changes to the system can be still observed (in particular, changes to the state of the CPU caches). The malicious code can detect these changes and read the data that was speculatively accessed.","The primary ramification of Variant 1 is that it is difficult for a system to run untrusted code within a process and restrict what memory within the process the untrusted code can access.","In the kernel, this has implications for systems such as the extended Berkeley Packet Filter (eBPF) that takes packet filterers from user space code, just-in-time (JIT) compiles the packet filter code, and runs the packet filter within the context of kernel. The JIT compiler uses bounds checking to limit the memory the packet filter can access, however, Variant 1 allows an attacker to use speculation to circumvent these limitations.","Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code.","\nVariant 2: branch target injection (CVE-2017-5715)","This attack variant uses the ability of one process to influence the speculative execution behavior of code in another security context (i.e., guest/host mode, CPU ring, or process) running on the same physical CPU core.","Modern processors predict the destination for indirect jumps and calls that a program may take and start speculatively executing code at the predicted location. The tables used to drive prediction are shared between processes running on a physical CPU core, and it is possible for one process to pollute the branch prediction tables to influence the branch prediction of another process or kernel code.","In this way, an attacker can cause speculative execution of any mapped code in another process, in the hypervisor, or in the kernel, and potentially read data from the other protection domain using techniques like Variant 1. This variant is difficult to use, but has great potential power as it crosses arbitrary protection domains.","Mitigating this attack variant requires either installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel's IBRS microcode), or applying a software mitigation (e.g., Google's Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.","\nVariant 3: rogue data cache load (CVE-2017-5754)","This attack variant allows a user mode process to access virtual memory as if the process was in kernel mode. On some processors, the speculative execution of code can access memory that is not typically visible to the current execution mode of the processor; i.e., a user mode program may speculatively access memory as if it were running in kernel mode.","Using the techniques of Variant 1, a process can observe the memory that was accessed speculatively. On most operating systems today, the page table that a process uses includes access to most physical memory on the system, however access to such memory is limited to when the process is running in kernel mode. Variant 3 enables access to such memory even in user mode, violating the protections of the hardware.","Mitigating this attack variant requires patching the operating system. For Linux, the patchset that mitigates Variant 3 is called Kernel Page Table Isolation (KPTI). Other operating systems/providers should implement similar mitigations.","Mitigations for Google products","here","\nToday's CPU vulnerability: what you need to know\n","\nJanuary 3, 2018\n","[Google Cloud, G Suite, and Chrome customers can visit the Google Cloud blog for details about those products]","[For more technical details about this issue, please read Project Zero's blog post]","Google’s Project Zero","speculative execution","Mitigation status for Google products","All Google products not explicitly listed below require no user or customer action.","Android","Devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.","Supported Nexus and Pixel devices with the latest security update are protected.","Further information is available here.","Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):","No additional user or customer action needed.","Google Chrome","Some user or customer action needed. More information here.","Google Chrome OS (e.g., Chromebooks):","Some additional user or customer action needed. More information here.","Google Cloud Platform","Google App Engine: No additional customer action needed.","Google Compute Engine: Some additional customer action needed. More information here.","Google Kubernetes Engine: Some additional customer action needed. More information here.","Google Cloud Dataflow: Some additional customer action needed. More information here.","Google Cloud Dataproc: Some additional customer action needed. More information here. ","All other Google Cloud products and services: No additional action needed.","Google Home / Chromecast:","No additional user action needed.","Google Wifi/OnHub:","Multiple methods of attack","\nTo take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.","\nThe Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.","\nIn order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.","\nThere is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.","\nWe will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.","Blog post update log","Added link to Project Zero blog","Added link to Google Cloud blog","\n\n\n \n \n\n\n\n\n \n \n\n\n\n\n\n \n \n\n\n","\nLabels\n","\n \n ","\n#sharethemicincyber\n","\n#supplychain #security #opensource\n","\nandroid\n","\nandroid security\n","\nandroid tr\n","\napp security\n","\nbig data\n","\nbiometrics\n","\nblackhat\n","\nC++\n","\nchrome\n","\nchrome enterprise\n","\nchrome security\n","\nconnected devices\n","\nCTF\n","\ndiversity\n","\nencryption\n","\nfederated learning\n","\nfuzzing\n","\nGboard\n","\ngoogle play\n","\ngoogle play protect\n","\nhacking\n","\ninteroperability\n","\niot security\n","\nkubernetes\n","\nlinux kernel\n","\nmemory safety\n","\nOpen Source\n","\npha family highlights\n","\npixel\n","\nprivacy\n","\nprivate compute core\n","\nRowhammer\n","\nrust\n","\nSecurity\n","\nsecurity rewards program\n","\nsigstore\n","\nspyware\n","\nsupply chain\n","\ntargeted spyware\n","\ntensor\n","\nTitan M2\n","\nVDP\n","\nvulnerabilities\n","\nworkshop\n","\n \n ","\nArchive\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2024\n\n","\nJul\n","\nJun\n","\nMay\n","\nApr\n","\nMar\n","\nFeb\n","\nJan\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2023\n\n","\nDec\n","\nNov\n","\nOct\n","\nSep\n","\nAug\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2022\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2021\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2020\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2019\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2018\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2017\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2016\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2015\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2014\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2013\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2012\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2011\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2010\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2009\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2008\n\n","\n\n\n \n \n\n\n\n\n \n \n \n \n\n\n\n2007\n\n","Feed","Follow @google","Follow","\nGive us feedback in our Product Forums.\n","\n Google\n ","\n Privacy\n ","\n Terms\n "]}