최신 CPU side-channel 공격을 이용하여 커널 메모리 영역을 exploit하고 싶다면 KTPI countermeasure를 disable 해야한다.
본 블로그에서는 최신 Ubuntu 20.04 환경에서 어떻게 KPTI를 disable 할 수 있는지 기술한다.
KPTI 적용 확인
간단히 커널 로그를 통해 현재 사용하고 있는 OS(Ubuntu 20.04)가 KPTI 방어기법을 enable하는지 disable하는지를 아래 명령어를 통해 확인 가능하다.
marco@css:~/Downloads$ dmesg | grep Kernel/User
[ 0.923955] Kernel/User page tables isolation: enabled
"Kernel/User page tables isolation: enabled"로 KTPI가 enabled 되어있는것을 확인할 수 있다.
혹은 아래 명령어로 현재 PC에 적용된 mitigations를 확인 가능하다.
$ cat /sys/devices/system/cpu/vulnerabilities/*
KVM: Mitigation: VMX unsupported
Mitigation: PTE Inversion
Mitigation: Clear CPU buffers; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
Not affected
Mitigation: Clear CPU buffers; SMT vulnerable"Mitigation: PTI"가 적용된 것을 확인할 수 있다.
How to disable the KPTI
KPTI는 Kernel boot시 parameter를 넘겨줌으로써 diable할 수 있다.
$ sudo vi /etc/default/grub
1 # If you change this file, run 'update-grub' afterwards to update
2 # /boot/grub/grub.cfg.
3 # For full documentation of the options in this file, see:
4 # info -f grub -n 'Simple configuration'
5
6 GRUB_DEFAULT=0
7 GRUB_TIMEOUT_STYLE=hidden
8 GRUB_TIMEOUT=0
9 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
10 GRUB_CMDLINE_LINUX_DEFAULT="quiet splash pti=off"
11 GRUB_CMDLINE_LINUX=""
12
13 # Uncomment to enable BadRAM filtering, modify to suit your needs
14 # This works with Linux (no patch required) and with any kernel that obtains
15 # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
16 #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
17
18 # Uncomment to disable graphical terminal (grub-pc only)
...
$ sudo update-grub
$ sudo reboot
필자는 line 10에 "pit=off" 옵션을 추가했다.
KPTI disabled 적용 확인
KTPI가 잘 disabled 된 것을 확인할 수 있다.
$ cat /sys/devices/system/cpu/vulnerabilities/*
KVM: Mitigation: VMX unsupported
Mitigation: PTE Inversion
Mitigation: Clear CPU buffers; SMT vulnerable
Vulnerable
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
Not affected
Mitigation: Clear CPU buffers; SMT vulnerable
'CPU side-channel attack' 카테고리의 다른 글
| [Paper Review] AMD Prefetch Attacks through Power and Time (0) | 2023.01.26 |
|---|---|
| Analyze the Meltdown demo #1: A first test(test) (0) | 2021.01.20 |
