[go: up one dir, main page]
Scribd
Upload
3K views56 pages

Texture Mem Exploit

Uploaded by

guilherme895874
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views56 pages

Texture Mem Exploit

Uploaded by

guilherme895874
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 56

1

#BHEU @BlackHatEvents
Evils in the Sparse Texture Memory:
Exploit Kernel Based on Undefined
Behaviors of Graphic APIs
Xingyu Jin, Richard Neal, Tony Mendez

2
#BHEU @BlackHatEvents
Xingyu Richard Tony
@1ce0ear @ExploitDr0id @amdz23
Senior Security Staff Security Engineer Technical Program
Engineer Manager

Information Classification: General


3 #BHEU @BlackHatEvents
Agenda
● Part 1
○ Android GPU Security Review
○ Graphics Stack and PowerVR Driver
○ More places to find bugs
○ Evils in the Sparse Texture Memory
○ Root Exploit Demonstration
● Part 2
○ Finding vulnerabilities and exploits
○ Android Partner Vulnerability
Initiative
Image by DALL·E
All vulnerabilities mentioned in this talk were already publicly disclosed and patches were available by the affected vendor.
Information Classification: General
4 #BHEU @BlackHatEvents
Android GPU Security: Current State

Information Classification: General


5 #BHEU @BlackHatEvents
State of GPU Security on Android
● Significant {0,1,n}day attacks targeting GPU drivers

Information Classification: General


6 #BHEU @BlackHatEvents
State of GPU Security on Android
● GPU Security is still vastly under-researched
○ Complicated, Proprietary, New features…
● Project Zero blog “Mind the Gap”
● Major Android GPUs:
○ ARM: Mali GPU
○ Qualcomm: Adreno GPU
○ Imagination Technologies: PowerVR GPU

Information Classification: General


7 #BHEU @BlackHatEvents
PowerVR GPU by ImgTec
● Apple’s former GPU maker
● Popular on budget-friendly phone, tablet & TV
○ Samsung A12, RedMi 9a/10a, Moto Pure G, Fire TV

#BHEU @BlackHatEvents
Information Classification: General
PowerVR GPU by ImgTec

PowerVR

PowerVR

PowerVR
96.9 M

Information Classification: General


9 #BHEU @BlackHatEvents
PowerVR GPU Security
● Limited research before 2022
● More research kicks off in 2022
○ Google Android Security Team
■ https://bugs.chromium.org/p/apvi
○ Google Project Zero

○ More engagement with external security researchers

Information Classification: General


10 #BHEU @BlackHatEvents
Android Graphic Stack
& PowerVR Driver Introduction

Information Classification: General


11 #BHEU @BlackHatEvents
Android Graphic Stack Overview

GPU vendors have different UMD implementations

Information Classification: General


12 #BHEU @BlackHatEvents
OpenGL Impl: ImgTec & MediaTek

Spoiler alert: logs contain kernel pointers

Information Classification: General


13 #BHEU @BlackHatEvents
OpenGL Impl: ImgTec & MediaTek

Bridge APIs

Information Classification: General


14 #BHEU @BlackHatEvents
PVR Driver: PMR & MMU Context
● Physical Memory Resource (PMR)
○ Manage allocated physical pages
● GPU MMU Management
○ MMU Context Object
○ GPU Memory Heap
○ GPU Memory Reservation

Information Classification: General


15 #BHEU @BlackHatEvents
Information Classification: General
16 #BHEU @BlackHatEvents
PVR Driver: Map CPU pages

Information Classification: General


17 #BHEU @BlackHatEvents
Thoughts about finding more bugs

Information Classification: General


18 #BHEU @BlackHatEvents
Thoughts: how to find more bugs
● Difficulties
○ Too many bridge APIs, some of them are arcane
● Thoughts
○ Instrument / Reverse vendor graphic libraries

Information Classification: General


19 #BHEU @BlackHatEvents
Instrument & Fuzz Graphic APIs
● Instrument on a real 3D app by PLT function hook
● Lightweight fuzzing: mutate parameters, scramble memory…

Information Classification: General


20 #BHEU @BlackHatEvents
Reading OpenGL / Vulkan APIs
● Any complaints about GPU driver kernel crash when using
certain OpenGL / Vulkan APIs?

Information Classification: General


21 #BHEU @BlackHatEvents
Undefined Behaviors in Graphic APIs
(GL_EXT_sparse_texture)

Information Classification: General


22 #BHEU @BlackHatEvents
OpenGL: Sparse Texture API
● GL_EXT_sparse_texture
○ Proposed in 2013 by Nvidia
● Most GPU vendors support it
nowadays

Information Classification: General


23 #BHEU @BlackHatEvents
OpenGL: Sparse Texture API
● Why Sparse texture API?
● Create a resource that is larger than physical memory
○ but only has a small portion of that resource actually
backed by physical memory.

https://github.com/gpuweb/gpuweb/issues/455
#BHEU @BlackHatEvents
Information Classification: General 24
Low Level Implementation
● Graphic API: Invoke kernel APIs

Sparse Indices: {1, 1}


Alloc Indices: {0, 1, 1, 1} Start va =
Start va = 0x8000000000 0x8000002000

Information Classification: General


25 #BHEU @BlackHatEvents
Undefined Behavior in OpenGL Document
● If the value of commit is FALSE, then the texture pages
contained in the region are made de-committed. Their
physical store is de-allocated, and their contents again
become undefined.
● Reads from such regions (uncommitted) produce undefined
data, but otherwise have no adverse effect.
● Atomic operations with return values on uncommitted regions
will complete normally, but the returned value will be
undefined and the result of the … will be discarded.
● Writes to such regions are ignored. The GL may attempt to
write to uncommitted regions but the effect of doing so will be
benign. 26 #BHEU @BlackHatEvents
Information Classification: General
Sparse Texture API Under the Hood
● Step 1: Allocate Sparse texture memory
○ glTexPageCommitmentEXT(..., /*commit=*/GL_TRUE);

Information Classification: General


27 #BHEU @BlackHatEvents
Sparse Texture API Under the Hood
● Step 2: Initialize Textures
○ glTexSubImage3D(..., /*ptr=*/image_ptr);

Information Classification: General


28 #BHEU @BlackHatEvents
Sparse Texture API Under the Hood
● Step 2: Initialize Textures
○ glTexSubImage3D(..., /*ptr=*/image_ptr);

Information Classification: General


29 #BHEU @BlackHatEvents
Sparse Texture API Under the Hood
● Final step: Destroy the sparse texture
○ glTexPageCommitmentEXT(..., /*commit=*/GL_FALSE);

● Look secure!
○ Not possible to remap the sparse texture on GPU to CPU
because it’s already destroyed

Information Classification: General


30 #BHEU @BlackHatEvents
Additional Mapping by ourselves
● Accessing “undefined memory” from CPU

Information Classification: General


31 #BHEU @BlackHatEvents
Issues in Implementing Sparse Texture
● Problem 1: object read / write OOB
● Problem 2: ref issues

32

#BHEU @BlackHatEvents
Information Classification: General
Issues in Implementing Sparse Texture
● Problem 3: GPU start VA passed from userspace

Information Classification: General


33 #BHEU @BlackHatEvents
Issues in Implementing Sparse Texture

Information Classification: General


34 #BHEU @BlackHatEvents
Corrupting GPU Page Tables
● GPU Heap memory layout
● PowerVR has FANCY page tables
○ Supports different page size: 4K, 16K, 64K, 256K, 1M, 2M

Information Classification: General


35 #BHEU @BlackHatEvents
Corrupting GPU Page Tables

Information Classification: General


36 #BHEU @BlackHatEvents
The feature was there “forever”…
● The buggy sparse feature was introduced a decade ago
● Some of our other findings also exist a decade ago.

Information Classification: General


37 #BHEU @BlackHatEvents
Rooting Device

Image by DALL·E
Information Classification: General
38 #BHEU @BlackHatEvents
Exploit Page Use-after-free
● Graphic APIs + one mmap
● Various Ways to Root devices
○ Attacking page tables (KSMA / GPU MMU)
OpenCL R/W

Information Classification: General


39 #BHEU @BlackHatEvents
Exploit Page Use-after-free
● Control page table
● Nullify all kernel mitigations

Image from
asia-18-WANG-KSMA-Breaking-A
ndroid-kernel-isolation-and-Rooting
-with-ARM-MMU-features

Information Classification: General


40 #BHEU @BlackHatEvents
Rooting Device in 10s

Information Classification: General


41 #BHEU @BlackHatEvents
Finding vulnerabilities

Information Classification: General


42 #BHEU @BlackHatEvents
Finding other peoples' exploits

Information Classification: General


43 #BHEU @BlackHatEvents
Information Classification: General
44 #BHEU @BlackHatEvents
Information Classification: General
45 #BHEU @BlackHatEvents
Information Classification: General
46 #BHEU @BlackHatEvents
int length = __system_property_get("ro.build.fingerprint", fingerprint);
printf("%s\n", fingerprint);
if (!strcmp(fingerprint, "google/oriole/oriole:12/SD1A.210817.037/7862242:user/release-keys")) {
do_bad_thing_with_params(a, b, c);
return;
}
if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ1D.220105.007/8030436:user/release-keys")) {
do_bad_thing_with_params(d, e, f);
return;
}
if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ1D.220205.004/8151327:user/release-keys")) {
do_bad_thing_with_params(g, h, i);
return;
}
if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ3A.220705.003/8671607:user/release-keys")) {
do_bad_thing_with_params(j, k, l);
return;
}
etc

Information Classification: General


47 #BHEU @BlackHatEvents
Information Classification: General
48 #BHEU @BlackHatEvents
Stopping exploitation

Information Classification: General


49 #BHEU @BlackHatEvents
● Mitigations
○ ARM Memory Tagging Extension
○ First handset with MTE on the market
● Secure development practices
○ Rust in Linux and Android
○ OEM Portal - restricted access
■ https://docs.partner.android.com/security/oem-edu/driver-developers
● Detecting impossible conditions

Information Classification: General


50 #BHEU @BlackHatEvents
Information Classification: General
51 #BHEU @BlackHatEvents
“N-days function like 0-days on Android”
-Maddie Stone, Security Researcher, Threat Analysis Group (TAG)

Information Classification: General


52 #BHEU @BlackHatEvents
Android Partner Vulnerability Initiative
APVI

Information Classification: General


53 #BHEU @BlackHatEvents
3P Vulns - Findings
● 80+ disclosed APVI OEM vulnerabilities
○ 1300+ GPSRP vulns
○ 1600+ SoC vulns

● Filed ~30 bugs in 2023 by Android Security Team


○ 5 Disclosed Page UAF
○ Other Page Corruptions: map2anywhere, map2oobpages…

● bugs.chromium.org/p/apvi
○ Moving to issuetracker in 2024

Information Classification: General


54 #BHEU @BlackHatEvents
Closing the Gap
● Developers help OEMs implement & improve security
processes
○ Decrease time from ingestion to patch
■ Reinforce policies with technical measures

● Researchers
○ GPU security is still under-researched

● More to come…

Information Classification: General


55 #BHEU @BlackHatEvents
Thank You

56
#BHEU @BlackHatEvents

You might also like