21 特权级与内核安全示例
参考
https://blog.51cto.com/13475106/category6.html及狄泰软件相关课程
Q:通常情况下选择子中的RPL与对应描述符中的DPL相同,那么是否可以取缔RPL?
RPL是保证内核数据安全的关键要素之一;在内核代码中有决定性作用,绝对不能取缔
A.获取操作系统的内核
该实验主要通过调用门调用将内核数据进行打印
具体的实现代码如下
%include "inc.asm" org 0x9000 jmp ENTRY_SEGMENT [section .gdt] ; GDT definition ; 段基址, 段界限, 段属性 GDT_ENTRY : Descriptor 0, 0, 0 CODE32_DESC : Descriptor 0, Code32SegLen - 1, DA_C + DA_32 + DA_DPL3 VIDEO_DESC : Descriptor 0xB8000, 0x07FFF, DA_DRWA + DA_32 + DA_DPL3 DATA32_KERNEL_DESC : Descriptor 0, Data32KernelSegLen - 1, DA_DRW + DA_32 + DA_DPL0 DATA32_USER_DESC : Descriptor 0, Data32UserSegLen - 1, DA_DRW + DA_32 + DA_DPL3 STACK32_KERNEL_DESC : Descriptor 0, TopOfKernelStack32, DA_DRW + DA_32 + DA_DPL0 STACK32_USER_DESC : Descriptor 0, TopOfUserStack32, DA_DRW + DA_32 + DA_DPL3 TSS_DESC : Descriptor 0, TSSLen - 1, DA_386TSS + DA_DPL0 FUNCTION_DESC : Descriptor 0, FunctionSegLen - 1, DA_C + DA_32 + DA_DPL0;内核函数段 ; Call Gate ; 选择子, 偏移, 参数个数, 属性 FUNC_GETKERNELDATA_DESC : Gate FunctionSelector, GetKernelData, 0, DA_386CGate + DA_DPL3 ; GDT end GdtLen equ $ - GDT_ENTRY GdtPtr: dw GdtLen - 1 dd 0 ; GDT Selector Code32Selector equ (0x0001 << 3) + SA_TIG + SA_RPL3 VideoSelector equ (0x0002 << 3) + SA_TIG + SA_RPL3 KernelData32Selector equ (0x0003 << 3) + SA_TIG + SA_RPL0 UserData32Selector equ (0x0004 << 3) + SA_TIG + SA_RPL3 KernelStack32Selector equ (0x0005 << 3) + SA_TIG + SA_RPL0 UserStack32Selector equ (0x0006 << 3) + SA_TIG + SA_RPL3 TSSSelector equ (0x0007 << 3) + SA_TIG + SA_RPL0 FunctionSelector equ (0x0008 << 3) + SA_TIG + SA_RPL0 ; Gate Selector GetKernelDataSelector equ (0x0009 << 3) + SA_TIG + SA_RPL3 ; end of [section .gdt] TopOfStack16 equ 0x7c00 [section .s16] [bits 16] ENTRY_SEGMENT: mov ax, cs mov ds, ax mov es, ax mov ss, ax mov sp, TopOfStack16 ; initialize GDT for 32 bits code segment mov esi, CODE32_SEGMENT mov edi, CODE32_DESC call InitDescItem mov esi, DATA32_KERNEL_SEGMENT mov edi, DATA32_KERNEL_DESC call InitDescItem mov esi, DATA32_USER_SEGMENT mov edi, DATA32_USER_DESC call InitDescItem mov esi, STACK32_KERNEL_SEGMENT mov edi, STACK32_KERNEL_DESC call InitDescItem mov esi, STACK32_USER_SEGMENT mov edi, STACK32_USER_DESC call InitDescItem mov esi, FUNCTION_SEGMENT mov edi, FUNCTION_DESC call InitDescItem mov esi, TSS_SEGMENT mov edi, TSS_DESC call InitDescItem ; initialize GDT pointer struct mov eax, 0 mov ax, ds shl eax, 4 add eax, GDT_ENTRY mov dword [GdtPtr + 2], eax ; 1. load GDT lgdt [GdtPtr] ; 2. close interrupt cli ; 3. open A20 in al, 0x92 or al, 00000010b out 0x92, al ; 4. enter protect mode mov eax, cr0 or eax, 0x01 mov cr0, eax ; 5. load TSS mov ax, TSSSelector ltr ax ; 6. jump to 32 bits code ;jmp word Code32Selector : 0 push UserStack32Selector push TopOfUserStack32 push Code32Selector push 0 retf ; esi --> code segment label ; edi --> descriptor label InitDescItem: push eax mov eax, 0 mov ax, cs shl eax, 4 add eax, esi mov word [edi + 2], ax shr eax, 16 mov byte [edi + 4], al mov byte [edi + 7], ah pop eax ret [section .kdat] [bits 32] DATA32_KERNEL_SEGMENT: KDAT db "Kernel Data", 0 KDAT_LEN equ $ - KDAT KDAT_OFFSET equ KDAT - $$ Data32KernelSegLen equ $ - DATA32_KERNEL_SEGMENT [section .udat] [bits 32] DATA32_USER_SEGMENT: UDAT times 16 db 0 UDAT_LEN equ $ - UDAT UDAT_OFFSET equ UDAT - $$ Data32UserSegLen equ $ - DATA32_USER_SEGMENT [section .tss] [bits 32] TSS_SEGMENT: dd 0 dd TopOfKernelStack32 ; 0 dd KernelStack32Selector ; dd 0 ; 1 dd 0 ; dd 0 ; 2 dd 0 ; times 4 * 18 dd 0 dw 0 dw $ - TSS_SEGMENT + 2 db 0xFF TSSLen equ $ - TSS_SEGMENT [section .s32] [bits 32] CODE32_SEGMENT: mov ax, VideoSelector mov gs, ax mov ax, UserData32Selector mov es, ax mov di, UDAT_OFFSET call GetKernelDataSelector : 0 mov ax, UserData32Selector ; eip ==> 0x17 mov ds, ax mov ebp, UDAT_OFFSET mov bx, 0x0C mov dh, 12 mov dl, 33 call PrintString jmp $ ; ds:ebp --> string address ; bx --> attribute ; dx --> dh : row, dl : col PrintString: push ebp push eax push edi push cx push dx print: mov cl, [ds:ebp] cmp cl, 0 je end mov eax, 80 mul dh add al, dl shl eax, 1 mov edi, eax mov ah, bl mov al, cl mov [gs:edi], ax inc ebp inc dl jmp print end: pop dx pop cx pop edi pop eax pop ebp ret Code32SegLen equ $ - CODE32_SEGMENT [section .func] [bits 32] FUNCTION_SEGMENT: ; es:di --> data buffer GetKernelDataFunc: mov ax, KernelData32Selector mov ds, ax mov si, KDAT_OFFSET mov cx, KDAT_LEN call KMemCpy retf ; ds:si --> source ; es:di --> destination ; cx --> length KMemCpy: cmp si, di ja btoe add si, cx add di, cx dec si dec di jmp etob btoe: cmp cx, 0 jz done mov al, [ds:si] mov byte [es:di], al inc si inc di dec cx jmp btoe etob: cmp cx, 0 jz done mov al, [ds:si] mov byte [es:di], al dec si dec di dec cx jmp etob done: ret GetKernelData equ GetKernelDataFunc - $$ FunctionSegLen equ $ - FUNCTION_SEGMENT [section .kgs] [bits 32] STACK32_KERNEL_SEGMENT: times 256 db 0 Stack32KernelSegLen equ $ - STACK32_KERNEL_SEGMENT TopOfKernelStack32 equ Stack32KernelSegLen - 1 [section .ugs] [bits 32] STACK32_USER_SEGMENT: times 256 db 0c Stack32UserSegLen equ $ - STACK32_USER_SEGMENT TopOfUserStack32 equ Stack32UserSegLen - 1
实现结果
从结果中可以看到内核数据被用户进行了拷贝,导致内核数据不安全
B.对上述出现的错误进行改进
初步的解决方法-提出一个检查函数
1.获取段寄存器中RPL的值
2.判断RPL的值是否为SA_RPL0;true则为检查通过,可以继续访问数据,如果为false,特权级较低,出发异常
具体实现是在[section .func] [bits 32]中定义一个检查函数,并在拷贝之前将其进行调用,对RPL的值进行判断
代码如下:
[section .func] [bits 32] FUNCTION_SEGMENT: ; es:di --> data buffer GetKernelDataFunc: mov cx, [esp + 4] and cx, 0x0003 mov ax, es and ax, 0xFFFC or ax, cx mov es, ax mov ax, KernelData32Selector mov ds, ax mov si, KDAT_OFFSET mov cx, KDAT_LEN call KMemCpy retf ; ds:si --> source ; es:di --> destination ; cx --> length KMemCpy: mov ax, es call CheckRPL;进行调用 cmp si, di ja btoe add si, cx add di, cx dec si dec di jmp etob btoe: cmp cx, 0 jz done mov al, [ds:si] mov byte [es:di], al inc si inc di dec cx jmp btoe etob: cmp cx, 0 jz done mov al, [ds:si] mov byte [es:di], al dec si dec di dec cx jmp etob done: ret ; ax --> selector value ;检查函数 CheckRPL: and ax, 0x0003;进行与操作 cmp ax, SA_RPL0;进行比较操作 jz valid;进行判断跳转 mov ax, 0 mov fs, ax mov byte [fs:0], 0;触发异常
代码运行结果
从运行结果可以看出,代码没有对内核数据进行拷贝,同时检查函数起到作用, 对RPL的值进行判断,并触发异常进行打印。但是对用户的选择子RPL的值进行修改伪造,将其改为0,又可以将内核数据进行拷贝。
C.用户程序可以通过伪造的选择子中的RPL的值,从而绕开安全检查的机制,在这里需要提出新的解决方案
1.在栈中获取函数远调用前CS寄存器的值(请求者)
2.从之前CS寄存器的值获取RPL
3.用RPL更新到数据缓冲区对应的段寄存器中
4.实验检查函数CheckRPL对段寄存器进行安全检查
代码:
%include "inc.asm" org 0x9000 jmp ENTRY_SEGMENT [section .gdt] ; GDT definition ; 段基址, 段界限, 段属性 GDT_ENTRY : Descriptor 0, 0, 0 CODE32_DESC : Descriptor 0, Code32SegLen - 1, DA_C + DA_32 + DA_DPL3 VIDEO_DESC : Descriptor 0xB8000, 0x07FFF, DA_DRWA + DA_32 + DA_DPL3 DATA32_KERNEL_DESC : Descriptor 0, Data32KernelSegLen - 1, DA_DRW + DA_32 + DA_DPL0 DATA32_USER_DESC : Descriptor 0, Data32UserSegLen - 1, DA_DRW + DA_32 + DA_DPL3 STACK32_KERNEL_DESC : Descriptor 0, TopOfKernelStack32, DA_DRW + DA_32 + DA_DPL0 STACK32_USER_DESC : Descriptor 0, TopOfUserStack32, DA_DRW + DA_32 + DA_DPL3 TSS_DESC : Descriptor 0, TSSLen - 1, DA_386TSS + DA_DPL0 FUNCTION_DESC : Descriptor 0, FunctionSegLen - 1, DA_C + DA_32 + DA_DPL0;内核函数段 ; Call Gate ; 选择子, 偏移, 参数个数, 属性 FUNC_GETKERNELDATA_DESC : Gate FunctionSelector, GetKernelData, 0, DA_386CGate + DA_DPL3 ; GDT end GdtLen equ $ - GDT_ENTRY GdtPtr: dw GdtLen - 1 dd 0 ; GDT Selector Code32Selector equ (0x0001 << 3) + SA_TIG + SA_RPL3 VideoSelector equ (0x0002 << 3) + SA_TIG + SA_RPL3 KernelData32Selector equ (0x0003 << 3) + SA_TIG + SA_RPL0 UserData32Selector equ (0x0004 << 3) + SA_TIG + SA_RPL3 KernelStack32Selector equ (0x0005 << 3) + SA_TIG + SA_RPL0 UserStack32Selector equ (0x0006 << 3) + SA_TIG + SA_RPL3 TSSSelector equ (0x0007 << 3) + SA_TIG + SA_RPL0 FunctionSelector equ (0x0008 << 3) + SA_TIG + SA_RPL0 ; Gate Selector GetKernelDataSelector equ (0x0009 << 3) + SA_TIG + SA_RPL3 ; end of [section .gdt] TopOfStack16 equ 0x7c00 [section .s16] [bits 16] ENTRY_SEGMENT: mov ax, cs mov ds, ax mov es, ax mov ss, ax mov sp, TopOfStack16 ; initialize GDT for 32 bits code segment mov esi, CODE32_SEGMENT mov edi, CODE32_DESC call InitDescItem mov esi, DATA32_KERNEL_SEGMENT mov edi, DATA32_KERNEL_DESC call InitDescItem mov esi, DATA32_USER_SEGMENT mov edi, DATA32_USER_DESC call InitDescItem mov esi, STACK32_KERNEL_SEGMENT mov edi, STACK32_KERNEL_DESC call InitDescItem mov esi, STACK32_USER_SEGMENT mov edi, STACK32_USER_DESC call InitDescItem mov esi, FUNCTION_SEGMENT mov edi, FUNCTION_DESC call InitDescItem mov esi, TSS_SEGMENT mov edi, TSS_DESC call InitDescItem ; initialize GDT pointer struct mov eax, 0 mov ax, ds shl eax, 4 add eax, GDT_ENTRY mov dword [GdtPtr + 2], eax ; 1. load GDT lgdt [GdtPtr] ; 2. close interrupt cli ; 3. open A20 in al, 0x92 or al, 00000010b out 0x92, al ; 4. enter protect mode mov eax, cr0 or eax, 0x01 mov cr0, eax ; 5. load TSS mov ax, TSSSelector ltr ax ; 6. jump to 32 bits code ;jmp word Code32Selector : 0 push UserStack32Selector push TopOfUserStack32 push Code32Selector push 0 retf ; esi --> code segment label ; edi --> descriptor label InitDescItem: push eax mov eax, 0 mov ax, cs shl eax, 4 add eax, esi mov word [edi + 2], ax shr eax, 16 mov byte [edi + 4], al mov byte [edi + 7], ah pop eax ret [section .kdat] [bits 32] DATA32_KERNEL_SEGMENT: KDAT db "Kernel Data", 0 KDAT_LEN equ $ - KDAT KDAT_OFFSET equ KDAT - $$ Data32KernelSegLen equ $ - DATA32_KERNEL_SEGMENT [section .udat] [bits 32] DATA32_USER_SEGMENT: UDAT times 16 db 0 UDAT_LEN equ $ - UDAT UDAT_OFFSET equ UDAT - $$ Data32UserSegLen equ $ - DATA32_USER_SEGMENT [section .tss] [bits 32] TSS_SEGMENT: dd 0 dd TopOfKernelStack32 ; 0 dd KernelStack32Selector ; dd 0 ; 1 dd 0 ; dd 0 ; 2 dd 0 ; times 4 * 18 dd 0 dw 0 dw $ - TSS_SEGMENT + 2 db 0xFF TSSLen equ $ - TSS_SEGMENT [section .s32] [bits 32] CODE32_SEGMENT: mov ax, VideoSelector mov gs, ax mov ax, UserData32Selector mov es, ax mov di, UDAT_OFFSET call GetKernelDataSelector : 0 mov ax, UserData32Selector ; eip ==> 0x17 mov ds, ax mov ebp, UDAT_OFFSET mov bx, 0x0C mov dh, 12 mov dl, 33 call PrintString jmp $ ; ds:ebp --> string address ; bx --> attribute ; dx --> dh : row, dl : col PrintString: push ebp push eax push edi push cx push dx print: mov cl, [ds:ebp] cmp cl, 0 je end mov eax, 80 mul dh add al, dl shl eax, 1 mov edi, eax mov ah, bl mov al, cl mov [gs:edi], ax inc ebp inc dl jmp print end: pop dx pop cx pop edi pop eax pop ebp ret Code32SegLen equ $ - CODE32_SEGMENT [section .func] [bits 32] FUNCTION_SEGMENT: ; es:di --> data buffer GetKernelDataFunc: mov cx, [esp + 4] and cx, 0x0003 mov ax, es and ax, 0xFFFC or ax, cx mov es, ax mov ax, KernelData32Selector mov ds, ax mov si, KDAT_OFFSET mov cx, KDAT_LEN call KMemCpy retf ; ds:si --> source ; es:di --> destination ; cx --> length KMemCpy: mov ax, es call CheckRPL;进行调用 cmp si, di ja btoe add si, cx add di, cx dec si dec di jmp etob btoe: cmp cx, 0 jz done mov al, [ds:si] mov byte [es:di], al inc si inc di dec cx jmp btoe etob: cmp cx, 0 jz done mov al, [ds:si] mov byte [es:di], al dec si dec di dec cx jmp etob done: ret ; ax --> selector value ;检查函数 CheckRPL: and ax, 0x0003;进行与操作 cmp ax, SA_RPL0;进行比较操作 jz valid;进行判断跳转 mov ax, 0 mov fs, ax mov byte [fs:0], 0;触发异常 valid: ret GetKernelData equ GetKernelDataFunc - $$ FunctionSegLen equ $ - FUNCTION_SEGMENT [section .kgs] [bits 32] STACK32_KERNEL_SEGMENT: times 256 db 0 Stack32KernelSegLen equ $ - STACK32_KERNEL_SEGMENT TopOfKernelStack32 equ Stack32KernelSegLen - 1 [section .ugs] [bits 32] STACK32_USER_SEGMENT: times 256 db 0 Stack32UserSegLen equ $ - STACK32_USER_SEGMENT TopOfUserStack32 equ Stack32UserSegLen - 1
首先通过反编译在call GetKernelDataSelector : 0跳转处设置断点,接下来对通用寄存器eip寄存器进行查看,由92a8到92af之间的差值为7,可以推断mov ax, UserData32Selector ; eip ==> 0x17,该处是返回地址。同时0x17会入栈,cs也会入栈,对寄存器进行查看,此时cs寄存器为0x0b,接下来对栈顶的6个字节进行查看,发现0x17与cs寄存器都入栈,再继续操作,触发异常,过程如图所示
小结
1.RPL是保证内核数据安全的关键要素之一
2.内核代码可通过追踪真实请求者特权级判断操作合法性
3.进行函数远调用时,真实请求者的选择子就会存储于栈中
4.通过提取真实特权级能够保证内核数据安全
posted on 2020-12-25 08:28 lh03061238 阅读(67) 评论(0) 编辑 收藏 举报