Description
Traditionally, malware is easily removable by re-installing the operating
system and starting from scratch. If an attacker wants to persist his
malware,
a storage outside of the operating systems has to be found. To access
the operating system from this point, kernel-level address space layout
randomization has to be overcome.
In this thesis, we explore the feasibility of hiding malware in ACPI
bytecode by finding the kernel ASLR slide. First, we sketch a proof that
ASL,
the programming language of ACPI, is turing-complete. Furthermore, we
demonstrate that because ACPI uses physical addresses, the kernel can
be found via brute force. Additionally, we show that this holds true in
any kASLR configuration offered by the Linux kernel on x86, x86 64 and
AArch64 machines. Thus, we conclude that kASLR is fundamentally flawed
once address translation can be overcome, by using either direct bus access
or remapping like ACPI. This shows that kASLR of physical addresses
offers no security benefits.
Additionally, we demonstrate a proof-of-concept backdoor against current
Linux kernels using our technique to break kASLR. To mitigate our attack,
we recommend that the ACPI specification should introduce a blacklist of
disallowed memory regions, effectively prohibiting writes to the kernel
memory region and thus preventing exploitation.
|
