This is a short tutorial for implementation of the CPU backdoor with the help of QEMU emulator. Sources for the implementation are available here : https://github.com/AdamKostrzewa/qemuSparcTrojan
- QEMU emulator version 2.12.50 (v2.12.0-rc3-71-g6af2692e86-dirty) cloned from git clone git://git.qemu.org/qemu.git
- buildroot-2018.02.1 for cross compilation cloned from git clone git://git.buildroot.net/buildroot
You may install qemu sources with :
The buildroot must be configured for the sparc ISA cross-compilation. In the buildroot directory use the following commands
make menuconfig gives you access to the graphical configuration tools. Select from the “Toolchain” section the option “Build cross gdb for the host”. It is necessary as the default SPARC v8 config (qemu_sparc_ss10_defconfig) does not include cross-gdb by default. Save and exit the graphical interface. Later run:
The process of downloading and building the packages may take a while.
The gnu tools for cross-compilation (e.g. sparc-linux-gcc, sparc-linux-as, sparc-linux-gdb etc)
are located in the buildroot home directory :
All sources were checked on (26-May-2018)
The goal of this project is to present the simple implementation of the CPU backdoor in the Sparc pipeline using the Qemu emulator. The payload of the trojan will be included in the SDIV command and will change the state of the processor’s state register. The trigger will be appropriate div assembler command run with the selected operands (1024 and 64 appropriately). The trojan presents an example of the HW/SW codesign.
- Clone the repository with the trojan - https://github.com/AdamKostrzewa/qemuSparcTrojan
- Copy the translate.c file to the ~/qemu_path/target/sparc (where is ~/qemu_path/ is the path of the installation directory)
- Copy the helper.c file to the ~/qemu_path/target/sparc (where is ~/qemu_path/ is the path of the installation directory)
- Compile and run the qemu
- Compile and run the regular.c
- Compile and run the trigger.c
- run the simulation with the selected Linux Kernel
In my case I am running the following linux kernel: Linux buildroot 4.11.12 #1 Wed May 2 10:20:04 CEST 2018 sparc GNU/Linux
it is loaded with the command:
** Execution of the regular.c in the buildroot **
The result of execution is simple. The null pointer dereference will lead to a segmentation fault handled by the operating system (trap and interrupt). An exemplary output of the execution will look as follows:
If we un-comment the get_psr() function the execution will stop earlier as processor is running in the user mode, and we are not allowed to use the privileged instructions. The console output will then look as follows:
** Execution of thge trojans’s trigger.c in the buildroot **
The trigger.c file contains the triggering signal, i.e., division with operands int a = 1024; int b = 64; int c = a / b; Consequently after its execution we are able to use get_psr and put_psr functions without the “Illegal instruction” error. Exemplary output of the execution looks as follows:
As we see the processor was in the kernel mode after the activation (8th bit of the PSR). Therefore, attacker has access to all commands and all memory operations and can conduct local privilege escalation (local root) by overwriting privileges of the own process at the kernel’s stack.
BUT BE CAREFUL! In kernel mode system is really fragile and every pointer de-reference may finish in permanent crash:
The payload is included in the s_div function of the do_sdif function in helper.c of the target/sparc in qemu.
The actions of the payload are fairly simple:
- we check the value of the operands (x0 == 1024 && x1 == 64)
- we cas the CPU object to the CPUSPARCState *sc. The sc contains values of the SPARC CPU register as they are different from x86 and must be casted at runtime.
- we modify the eight bit of the PSR register sc->psrs =1;
If we are still in user mode the exception is raised as RDPSR | WRPSR are privileged instructions. Consult the SPARC Manual v8 for more details.