2

First a disclaimer: I don't intent to hack anyone, I'd just like to see the exploit in action on my own machine.

I've compiled the Spectre example in VS2017 on x64 Windows 10.

The example works when reading from its own process memory, but if I try to read from my test app, I only get at string of zeros or other similar characters.

test app:

#include "stdafx.h"
#include <string>
#include <iostream>

const char *gotroot = "The Magic Words are Squeamish Ossifrage.";

using namespace std;
int main()
{
    printf("%p",gotroot);

    string endd;
    cin >> endd;

    printf("%s", gotroot);
    return 0;
}

I start the app and copypaste the address to the Spectre commandline, but I don't get the string.

I couldn't figure out if Windows 10 has already been patched?

But I've also tried in Ubuntu 17.04 that hasn't be updated in a while, with the same result.

Is there something wrong with my approach?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Dacobi
  • 417
  • 4
  • 14

1 Answers1

0

Spectre is a vulnerability. I assume this "spectre command line" you mention is some specific implementation / testing tool? What target branch does it exploit? Presumably an indirect branch in the kernel, otherwise you could only give it addresses in the virtual address space of whatever target program it was attacking.

So you'll need the kernel address of the physical memory your target process is using, in the part of kernel virtual address space that maps all physical memory. (Or whatever Windows does, I forget. But it's apparently different from Linux's simple map-all-the-memory with 1G hugepages design). But both use the upper half of virtual address space for kernel addresses. The Meltdown paper explains how / why kernels map all the memory (and would leave it mapped globally, protected by the user/supervisor bit in the page tables if they didn't need to work around Meltdown on Intel CPUs. Meltdown defeats that permission bit.) But the kernel will have it mapped any time it's executing its own code, and thus Spectre can take advantage of that mapping. The Meltdown workaround is to unmap kernel pages when running user-space code. Spectre tricks the CPU into speculatively executing some kernel instructions in kernel mode.

Anyway, this is different from the char* value that your process uses in its own virtual address space. The same page of physical memory is mapped globally to a high address, as part of the kernel's map-everything region, and (when your process is executing) also to a low address for use by user-space code. It's this latter address that you see with %p.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • I'm referring to the example in the Spectre paper: https://spectreattack.com/spectre.pdf – Dacobi Jan 14 '18 at 18:30
  • Is it possible to calculate the kernel address of an address in a userspace process? I'm just wondering why they added a command line argument for entering an address if it can't access any memory other then its own process? – Dacobi Jan 17 '18 at 17:31
  • No, it's not. Kernel ASLR exists for a reason. But if you used a kernel debugger, or kernel logging, or any kind of other way to find out an address, you could use this tool to read it. If the tool takes a kernel address, it's *just* a Spectre demonstrator, *not* a full working exploit packaged up for usability. – Peter Cordes Jan 17 '18 at 17:36
  • Ok. Last question. One thing I'm still confused about is that I read in another post that the C implementation doesn't know anything about physical addresses. That the translating from physical to virtual address space is beyond the process. But how could a C program then access a kernel address? – Dacobi Jan 18 '18 at 10:44
  • @user3866319: The kernel runs with paging enabled; to use a page of physical memory (for its own use, or to set it up for a user-space process), the kernel sets up a mapping in the page tables and then accesses the *virtual* address where it mapped that physical page. Some kernels (e.g. Linux) direct-map all physical memory to a contiguous range of virtual addresses, for easy access to any physical address (by using at an offset into the region where it mapped everything). Note that a physical page (aka page frame) can be mapped by more than one virtual page. – Peter Cordes Jan 18 '18 at 11:49