<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div>Hi all,</div><div><br></div><div>I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity College (Ireland) and I'm studying computer security. I'm trying to reproduce the meltdown attack as an effort to dive deep into the known attack types with some specific scenarios and "trying to see whether Meltdown could have been used against a web server making use of openssl libraries, running on an old, non-patched Linux kernel" is one of them. <b>Please notice that the intentions are purely academic here, rather than performing a real attack.</b></div><div><br></div><div>Before investigating a more realistic scenario, I started with an 'open box' approach in which the openssl server process reveals the addresses of the sub fields of its private key (The private key and the certificate used below were created using the command 'openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout priv.pem -out cert.pem', so they are RSA based. And I just used good, old printf in the function "ssl_set_pkey" in the file "ssl/ssl_rsa.c"):</div><div><br></div><div><span style="font-family:monospace"># <b>LD_LIBRARY_PATH=${PWD} ./apps/openssl s_server -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www</b><br>Could not read params of DH parameters from my_keys/cert.pem<br>Using default temp DH parameters<br><b>DANIS - ssl_set_pkey - c->pkeys[0].privatekey : 0x55e4f9f01670 - 144<br>Danis - ssl_set_pkey - pkey->keydata->n : 0x55e4f9f13d50<br>Danis - ssl_set_pkey - pkey->keydata->e : 0x55e4f9f131e0<br>Danis - ssl_set_pkey - pkey->keydata->d : 0x55e4f9f05790<br>Danis - ssl_set_pkey - pkey->keydata->p : 0x55e4f9f05670<br>Danis - ssl_set_pkey - pkey->keydata->q : 0x55e4f9f058b0<br>Danis - ssl_set_pkey - pkey->keydata->dmp1 : 0x55e4f9f18850<br>Danis - ssl_set_pkey - pkey->keydata->dmq1 : 0x55e4f9f13800<br>Danis - ssl_set_pkey - pkey->keydata->iqmp : 0x55e4f9f13820</b><br>ACCEPT</span></div><div><br></div><div>Once the server is up and running, I get the real address of the sub field p using gdb:<br></div><div><br></div><div><span style="font-family:monospace"># <b>ps -ef | grep -v grep | grep openssl</b><br>adminq <b>1421</b> 1280 0 16:55 pts/1 00:00:00 ./apps/openssl s_server -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www<br># <b>gdb</b><br>GNU gdb (Debian 8.2.1-2+b3) 8.2.1<br>Copyright (C) 2018 Free Software Foundation, Inc.<br>License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html" target="_blank">http://gnu.org/licenses/gpl.html</a>><br>This is free software: you are free to change and redistribute it.<br>There is NO WARRANTY, to the extent permitted by law.<br>Type "show copying" and "show warranty" for details.<br>This GDB was configured as "x86_64-linux-gnu".<br>Type "show configuration" for configuration details.<br>For bug reporting instructions, please see:<br><<a href="http://www.gnu.org/software/gdb/bugs/" target="_blank">http://www.gnu.org/software/gdb/bugs/</a>>.<br>Find the GDB manual and other documentation resources online at:<br> <<a href="http://www.gnu.org/software/gdb/documentation/" target="_blank">http://www.gnu.org/software/gdb/documentation/</a>>.<br><br>For help, type "help".<br>Type "apropos word" to search for commands related to "word".<br>(gdb) <b>attach 1421</b><br>Attaching to process 1421<br>Reading symbols from /home/adminq/Workspace/openssl/apps/openssl...(no debugging symbols found)...done.<br>Reading symbols from /home/adminq/Workspace/openssl/libssl.so.3...(no debugging symbols found)...done.<br>Reading symbols from /home/adminq/Workspace/openssl/libcrypto.so.3...(no debugging symbols found)...done.<br>Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/.build-id/d3/583c742dd47aaa860c5ae0c0c5bdbcd2d54f61.debug...done.<br>done.<br>Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/.build-id/e9/1114987a0147bd050addbd591eb8994b29f4b3.debug...done.<br>done.<br>[Thread debugging using libthread_db enabled]<br>Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".<br>Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/.build-id/18/b9a9a8c523e5cfe5b5d946d605d09242f09798.debug...done.<br>done.<br>Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/f2/5dfd7b95be4ba386fd71080accae8c0732b711.debug...done.<br>done.<br>0x00007efd06acd631 in __libc_accept (fd=4, addr=..., len=0x7ffca292907c) at ../sysdeps/unix/sysv/linux/accept.c:26<br>26 ../sysdeps/unix/sysv/linux/accept.c: No such file or directory.<br>(gdb) <b>x/6x 0x55e4f9f05670</b><br>0x55e4f9f05670: <b>0xf9f06b70 0x000055e4</b> <b>0x00000010</b> 0x00000010<br>0x55e4f9f05680: 0x00000000 0x0000000d</span></div><div><span style="font-family:monospace">(gdb) <b>watch * (unsigned long *) 0x55e4f9f06b70</b><br>Hardware watchpoint 1: * (unsigned long *) 0x55e4f9f06b70<br>(gdb) c<br>Continuing.<br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"></span><font face="arial,sans-serif">So, this output tells me that the content of p starts from the address <b>0x55e4f9f06b70</b> and it's length is 16*sizeof(unsigned long) bytes as p is of type bignum_st which has the following layout:</font></div><div><font face="arial,sans-serif"><br></font></div><div><div style="color:rgb(212,212,212);background-color:rgb(30,30,30);line-height:19px;white-space:pre-wrap"><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(86,156,214)">struct</span><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(78,201,176)">bignum_st</span><span style="color:rgb(212,212,212)"> {</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(86,156,214)">BN_ULONG</span><span style="color:rgb(212,212,212)"> *</span><span style="color:rgb(156,220,254)">d</span><span style="color:rgb(212,212,212)">;</span><span style="color:rgb(106,153,85)"> /* Pointer to an array of 'BN_BITS2' bit</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(106,153,85)"> * chunks. */</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(86,156,214)">int</span><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(156,220,254)">top</span><span style="color:rgb(212,212,212)">;</span><span style="color:rgb(106,153,85)"> /* Index of last used d +1. */</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(106,153,85)"> /* The next are internal book keeping for bn_expand. */</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(86,156,214)">int</span><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(156,220,254)">dmax</span><span style="color:rgb(212,212,212)">;</span><span style="color:rgb(106,153,85)"> /* Size of the d array. */</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(86,156,214)">int</span><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(156,220,254)">neg</span><span style="color:rgb(212,212,212)">;</span><span style="color:rgb(106,153,85)"> /* one if the number is negative */</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(86,156,214)">int</span><span style="color:rgb(212,212,212)"> </span><span style="color:rgb(156,220,254)">flags</span><span style="color:rgb(212,212,212)">;</span></span></font></b></div><div><b><font size="2"><span style="font-family:monospace"><span style="color:rgb(212,212,212)">};</span></span></font></b></div></div></div><div><font face="arial,sans-serif"><br></font></div><div><font face="arial,sans-serif">When I define a watchpoint for that address to verify that it has been accessed when a new client connects to the server and make the server continue, I can't see a hit which means this address hasn't been accessed. <b>I'm attaching the s_client output as a file, since it's longer compared to the outputs above.</b><br></font></div><div><font face="arial,sans-serif"><b><br></b></font></div><div><font face="arial,sans-serif">I then dumped the whole non-executable pages that were allocated for this process using ptrace to see whether another copy of the key was present and I couldn't find any copies. So, either I'm doing something wrong (which is the case, most probably) or there's another area which contains another representation of the key for security reasons (given the fact that the raw key content is accessible in the RAM, this one seems less likely). Therefore, assuming I'm doing something wrong, if you could tell me what it is, I'd be grateful.</font></div><div><font face="arial,sans-serif"><br></font></div><div><font face="arial,sans-serif">Best regards,</font></div><div><font face="arial,sans-serif">Danis Ozdemir<br></font></div><div><font face="arial,sans-serif"><br></font></div><div><font face="arial,sans-serif"><b></b></font></div></div>
</div></div>