donbApr 12, 2017

Boom! Here's proof the current privilege model in #RISC-V is insecure. My malicious kernel breaks out of the Supervisor privilege, infecting highest level privilege (Machine Mode) with illegal instructions, causing panic.

Full details to be released tomorrow at #HITB2017AMS!

Show threaddonb
Welcome to Buildroot
buildroot login: donb
Password:
$ /donb/hitb 8
trying fake rt_sigreturnx...
[ 228.530000] DONB(8): overwriting machine mode with illegal insn + ret
r = 0
$ /donb/hitb 6
trying fake rt_sigreturnx...
[ 256.520000] DONB mapping req to va = ffffffff78014e08
$ /donb/fakesyscall 9
trying fake rt_sigreturnx...
[ 321.710000] DONB(8): ok, now try the m-hook
/riscv/freedom-u-sdk/freedom-u-sdk/riscv-pk/machine/mtrap.c:18: machine mode: unhandlable trap 2 @ 0x0000000080000e08
Apr 12, 2017 at 10:32pmWeb
Show threadMarcin CieślakApr 12, 2017
@donb some machine code, maybe?