Monday, July 14, 2014

Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ?

In computer security, information leaking is one of threats to software security. For example, the memory address of kernel critical resource should not be visible to user mode. Address space layout randomization (ASLR) is just one of techniques to prevent an attacker from reliably getting a particular exploited function in memory. 

However, I'm just very curious about why x86 processor leaks kernel data structures by some unprivileged instructions. Is this a bad CPU design?

Here is an example. 

x86 IDTR register holds the base memory address for the Interrupt Descriptor Table entries (vector 0 through 255). As long as we gets its address, we can calculate and get all the ISR memory addresses of all exceptions/interrupts in a system. 

But an user program can simply get the IDTR address by executing SIDT instruction. 

See these two real-world example exploits below, if SIDT instruction in x86 were not allowed to execute in user mode, then one more roadblock would be placed to mitigate such an attack.

1) Linux Kernel ptrace/sysret - Local Privilege Escalation

2) Ubuntu 12.04.0-2LTS x64 - perf_swevent_init Kernel Local Root Exploit

So the questions:  

  • Why does Intel/x86 allow such an instruction to be executed by unprivileged program/task in user mode?
  • Is there any legitimate application in user mode that must have to use this instruction to get kernel structure address?

The similar instructions are SGDT (retrieving Global Descriptor Table Register), and 
even seldom used instructions like STR, SLDT, SMSW

Anybody (Intel processor architect or application software developer) can tell me the reason of that? 

Why SIDT/SGDT instructions are allowed to execute in user mode (x86/Intel)?


  1. UMIP = User-Mode Instruction Prevention (bit 11 of CR4)— When set, the following instructions cannot beexecuted if CPL > 0: SGDT, SIDT, SLDT, SMSW, and STR. An attempt at such execution causes a general-protection exception (#GP).

    CR4 register has UMIP bit that control CPL during executing the vulnerable instructions (SGDT, SIDT, SLDT, SMSW, STR).

    1. Emin, thanks for this info, very good to know that. I will check the latest IA SDM to see that feature.