Софтверные анклавы.

Дата публикации 11 мар 2017 | Редактировалось 10 янв 2018
Механизм защиты памяти(продолжение темы про DFG). Довольно краткое(опирается на более ранние публикации) описание, но понятное. Полноценный антидамп.

Вложения:

  • ECV.zip
    Размер файла:
    619,6 КБ
    Просмотров:
    784

3 4.079
Indy_

Indy_
Well-Known Member

Регистрация:
29 апр 2011
Публикаций:
4

Комментарии


      1. galenkane 20 окт 2023
        The concept of enclaves and data flow in DF operations
        •'Enclave' refers to isolated memory areas in Intel-SGX2 technology.

        •Enclaves are memory regions with restricted access.

        •DF operations (R/W/X) involve hardware address translations and security checks.

        •Address translation is two-level, involving the computation of a linear address (LA) and a physical address.

        •LA is formed by adding a segment selector and an effective address (EA) offset.

        •The segment selector indirectly determines the base address, while the offset is given in the instruction code.

        •The descriptor, which is a kernel object, is not accessible from user mode (UM).

        •LA depends on the logical address, which is linearly mapped.

        •EA consists of multiple components and has a format of ModR/M (SIB).

        •In DF, the address component can be modified, resulting in a DF with a different LA in a different mode.

        •If a UM thread accesses the FS segment with offset N, the LA in the same mode is FS_base + N.

        •When passing a pointer to the kernel, LA is formed relative to the segment's zero base, resulting in a shift of addresses on FS_base.

        •This shift causes DF from KM to occur in a different memory area, resulting in different data for two DFs in different modes.

        •This software enclave and the corresponding data retrieval are called atoms.

        •In addition to address translation differences, atoms are isolated from UM, and an atom cannot be restarted when a trap (exception) occurs.

        •Atoms are executed in a more privileged mode, preventing less privileged code from accessing the memory where the exception occurred.

        •LA can be changed through the second component - EA.

        •To redirect DF to another memory area (enclave), EA needs to be modified, and the instruction may need to be restarted or emulated.

        •DF is detected through a trap set on the memory region or decoding EA for the instruction stream.

        •When DF occurs on a trapped region (e.g., N/A), an exception is raised.

        •EA is decoded, and DF can be redirected to the enclave.

        •In another mode, the trap does not occur for DF, and the instruction executing DF cannot be restarted, effectively isolating the enclave from a more privileged mode.

        •An example of accessing an enclave is through the NtReadVM service.

        •An attachment to the process may occur if necessary, and the region is copied to a buffer.

        •The buffer address is different from the enclave address, resulting in DF either copying data from the specified region or triggering a trap (N/A), which is handled by SEH, and the service returns an error.

        •With a direct DF, EA will be modified.


        Dynamic Forwarding in Virtual Machines (VMs)
        •DF (Dynamic Forwarding) can occur when an atom is acting as an interface for a VM gateway.

        •In such cases, DF is isolated as the task is executed within the VM rather than in the emulated environment.

        •AV atom AVG: F0 BB Imm32 lock mov ebx, imm32, is an example of a gateway that triggers VM to perform the emulated API.

        •When passing a pointer to an atom, DF can occur without triggering a trap.

        •An error will be returned or an exception will be raised, but restarting the atom is not possible due to the lack of access.

        •Tracing (DYE) can redirect DF to the enclave by detecting it.

        •To redirect DF, it is necessary to modify LA components (segment or EA) or emulate the instruction with LA modification.

        •Using traps for these purposes is not efficient and can result in a high number of exceptions and low timing.

        •When DF is detected through tracing, the code is decomposed into instruction streams, with each being decoded to determine LA.

        •Two methods can be used for this: regular emulation or dynamic emulation (DYE).

        •Unlike regular emulation (used in DBI), dynamic emulation only emulates control transfer (branches), while the rest of the code (linear) is executed directly.

        •Every instruction needs to be sequentially decoded and emulated during emulation, while dynamic emulation allows for batch processing, where a block of linear instructions is executed directly without emulating each instruction separately.

        •DFs executed by the code can be detected through emulation.

        •DF can be redirected to a different LA (enclave) by modifying the EA component before executing the instruction, redirecting to the enclave.

        •The enclave may not be an actual memory region.

        •During each iteration of DF redirection, the decrypted data is stored in a buffer that DF accesses.

        •Therefore, the memory region (enclave) exists only for the sequence of DFs.

        •An example of batch tracing for API initiation is provided.
      2. galenkane 29 янв 2021
        [​IMG]
      3. Indy_ 30 янв 2021
        EA эффективный адрес, LA линейный адрес, DF выборка данных.
        galenkane нравится это.