Document reintroduced vulnerabilities in CHERI pure-capability kernel

GaloisInc / BESSPIN-FETT-Portal

The web-based portal used by FETT Researchers to manage Target instances.

Apache License 2.0

0 stars 0 forks source link

Document reintroduced vulnerabilities in CHERI pure-capability kernel #447

Open brooksdavis opened 4 years ago

brooksdavis commented 4 years ago

In order to provide something to attack, we've reversed the patches for FreeBSD-SA-18:13.nfs and FreeBSD-SA-09:06.ktimer. Additionally, we've enabled an NFSv4 server to support attacking FreeBSD-SA-18:13.nfs.

We've had @brettferdosi take a shot at exploiting both of these under an ordinary RISC-V kernel and he's made sufficient progress that we're confident that motivated researchers could exploit them. We believe pure-capability CHERI will defeat these attacks.

The Learn portal needs to be augmented to mention these bugs.

mattlebeau-galois commented 4 years ago

Section of LEARN to update:

"SRI/Cambridge" -> "FAQ"

Content to update:

FAQ:
- Reintroduced vulnerabilities in COBRAOSSUS - SRI-Cambridge bluespec_p2 FreeBSD purecap variant:
- FreeBSD-SA-18:13.nfs has had its patch reversed
- FreeBSD-SA-09:06.ktimer has had its patch reversed
- An NFSv4 server is now enabled on this target in order to support attacking FreeBSD-SA-18:13.nfs
- The expectation is that both FreeBSD-SA-18:13.nfs and FreeBSD-SA-09:06.ktimer will be defeated by the COBRAOSSUS - SRI-Cambridge bluespec_p2 FreeBSD purecap variant.

jrtc27 commented 4 years ago

* The expectation is that both FreeBSD-SA-18:13.nfs and FreeBSD-SA-09:06.ktimer will be exploitable on corresponding GFE targets, but will be defeated by the COBRAOSSUS - SRI-Cambridge bluespec_p2 FreeBSD `purecap` variant

That's not actually going to be true because the GFE kernel doesn't have the patches reverted, right? @brooksdavis what's the plan here for something that researchers can attack and exploit?

brooksdavis commented 4 years ago

Hmm, I'm not sure what the right approach is. Is the GFE kernel a custom kernel or just GENERIC? If it's custom, I guess could cherry-pick the reintroductions to freebsd-crossbuild and the kernels could be updated to enable the bugs.

It's worth noting that I don't expect the ability to exploit the risc-v ones is of much interest unless we make it a mission. We should defeat them both quite early in the chain by breaking out-of-bounds access.

rwatson commented 4 years ago

We could just ship two kernels in this instance, with instructions on how to boot the more RISC-V-flavoured kernel if desired?

mattlebeau-galois commented 4 years ago

Updated content to remove reference to GFE targets. Work required to produce a new GFE target with the mentioned patches backed out was indicated not to be worth the engineering effort by DARPA.

rwatson commented 4 years ago

Given the difficulty in booting a second kernel solely from within the TA-1 system, we might just consider documenting that a GENERIC kernel on the same branch (or another similar kernel configuration) can be built locally with a RISC-V target for use with Qemu, should there be interest in exploring and experimenting with that. But that breaking the RISC-V version of the kernel is not in scope for an award.