Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people are at a loss about what Totel MeltdownCVE-2018-1038 vulnerability exploitation is like. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The main purpose is to teach you the skills of learning this exploit rather than just providing a ready-to-use exploit. So, let's first look at some of the basic concepts of memory paging.

Paging mechanism

In order to understand the CVE-2018-1038 vulnerability, we first need to understand the paging mechanism under the x86/x64 architecture.

As we all know, in an OS on x64 architecture, the virtual address looks something like this:

0x7fffffd6001

The next thing is not well known: this virtual address is not a pointer to an actual physical address. It actually consists of a number of fields that are combined and converted into physical addresses.

We first convert the above virtual address to binary representation.

0000000000000000 000001111 111111111 111111111 111010110000000000001

The first 16 bits from left to right have no practical significance, they are simply copies of the 48th bit of the virtual address. AMD64 architecture only supports 48-bit memory addresses, and the remaining 16 bits are just symbolic extensions of these 48-bit addresses.

Next, let's start with the 48th.

1) the first 9 bits, 000001111 (decimal 15), is a deviation in the PML4 table.

2) the next 9 bits, 11111111 (decimal 511), is an offset in the PDPT table.

3) the next 9 bits, 11111111 (decimal 511), is an offset in the PD table.

4) the next 9 bits, 111010110 (decimal 470), is an offset of the PT table.

5) the last 12 bits, 0000000000000001 (decimal 1), is an offset of the memory page.

So, of course, the next question is... What exactly are PML4, PDPT, PD and PT?

PML4, PDPT, PD and PT

In x64 architecture, to convert a virtual address to a physical address, we need the following series of page tables. The CR3 register points to the original PML4 page table.

1) PML4- Page Map Level 4

2) PDPT- Page Directory Pointer Table

3) PD- Page Directory

4) PT- Page Table

Each page table is responsible for providing the physical address we need in the addressing process, as well as some flag bits for this physical address.

For example, an item in a page table may be responsible for providing us with a pointer to the next page table, as well as setting the NX bit of the page, or ensuring that the memory page pointed to belongs to kernel and cannot be accessed by processes in the operating system.

After simplifying the actual concept, the virtual address will eventually be converted to a physical address through the following four page tables.

In this way, we can see that through a page table item and pointing to the next page table, the process will traverse the above four page tables, and eventually the last page table will point to the physical memory page corresponding to the virtual address, and then add the final offset to form the actual physical address.

We can imagine that there is some overhead for an operating system to save and manage the above page table. So OS developers will use a technique called "self-referencing page tables" to avoid the cumbersome processes mentioned above.

Self-referenced page table

Simply put, a "self-reference page table" is a self-reference in an item in the PML4 page table. For example, if we create a new entry in the offset 0x100 location of the PML4 table, pointing to the memory address where the PML4 is located, we have a "self-referencing entry"

Why do you need to do this? In fact, this provides us with some virtual addresses that allow us to view and modify the page table.

For example, if we want to modify PML4, we can refer directly to the virtual address 0x804020100000. The virtual address will be translated as follows:

1) find the 0x100 entry of PML4: get the physical address of PML4

2) find the 0x100 entry of PDPT: again, get the physical address of PML4

3) find the 0x100 entry of PD: again, get the physical address of PML4

4) find the 0x100 entry of PT: again, get the physical address of PML4

Add in the offset of the last 12 bits, and the final physical address is the physical address of the PML4.

I hope you can understand the concept of self-referencing page table when you see this. For me, I spent several nights staring at the screen to figure this out: d

Let's use the following code as a further example. We can see that the virtual address 0xffff804020100000 allows us to edit PML4. In this example, the 0x100 entries for PML4 are self-referenced.

Package mainimport ("fmt") func VAtoOffsets (va uint64) {phy_offset: = va & 0xFFF pt_index: = (va > > 12) & 0x1FF pde_index: = (va > > (12 + 9)) & 0x1FF pdpt_index: = (va > > (12 + 9 + 9)) & 0x1FF pml4_index: = (va > > (12 + 9 + 9 + 9)) & 0x1FF fmt.Printf ("PML4 Index: X\ n" Pml4_index) fmt.Printf ("PDPT Index: X\ n", pdpt_index) fmt.Printf ("PDE Index: X\ n", pde_index) fmt.Printf ("PT Index: X\ n", pt_index) fmt.Printf ("Page offset: X\ n", phy_offset)} func OffsetsToVA (phy_offset, pt_index, pde_index, pdpt_index, pml4_index uint64) {var va uint64 va = pml4_index

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.