Meltdown - Reading Process Memory Data

Question

Tried this PoC:

https://github.com/mniip/spectre-meltdown-poc

Which works for the sys_call_table.

I was able to read the syscall sys_read address.

Wanted to test it with a sample program to read the value of the memory, but in this case it does not work. Any ideas anybody? It shows values as 00 and is much slower in working.

./pass 
Password : secret
addr 0x7ffc9098b780


./poc 7ffc9098b780
cutoff: 96
0x7ffc9098b780 | 00 00 00 00 00 00 00 00 00   1.006466362648e-25 00

pass.c

#include <stdio.h>

int main(void) {

   char buf[7];

   printf("Password : ");
   fgets(buf, 7, stdin);
   sscanf(buf, "%s", buf);
   printf("addr %p\n",buf);
   while(1)
   {
   }
   printf("Password : %s\n",buf);
   return 0;
}

Thanks,

Update 1:

Found this program that get the physical address from virtual one from userspace:

https://github.com/dwks/pagemap

Output:

./pagemap2 18135
=== Maps for pid 18135
0x400000           : pfn 0                soft-dirty 1 file/shared 1 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x600000           : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x601000           : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x206a000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [heap]
0x206b000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206c000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206d000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206e000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206f000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2070000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2071000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2072000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2073000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2074000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2075000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2076000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2077000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2078000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2079000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207a000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207b000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207c000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207d000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207e000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207f000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2080000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2081000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2082000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2083000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2084000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2085000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2086000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2087000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2088000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2089000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x208a000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x7f27b2365000     : pfn 0                soft-dirty 1 file/shared 1 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b253d000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b253e000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b253f000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b2563000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b2564000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b2565000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2566000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2567000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7ffe2498c000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498d000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498e000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498f000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24990000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24991000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24992000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24993000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24994000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24995000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24996000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24997000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24998000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24999000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499a000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499b000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499c000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499d000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499e000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499f000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a0000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a1000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a2000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a3000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a4000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a5000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a6000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a7000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a8000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a9000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249aa000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ab000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249ac000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ca000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cb000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cc000     : pfn 0                soft-dirty 1 file/shared 1 swapped 0 present 1 library [vdso]
0x7ffe249cd000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [vdso]

Where will be my "secret" string located on the stack? Which physical address should I try?

Thanks,

score 3 · Accepted Answer · answered Jan 09 '18 at 09:49

On Linux, the kernel half of the address space (all addresses above 0x8000000000000000) is constant across applications. If you use grep to find the address of the system call table, that address will still be valid when poc goes looking for its contents.

The user half of the address space, on the other hand, is unique for each process. If you point poc at 0x7ffc9098b780, you're asking it to get the contents of poc's 0x7ffc9098b780, not pass's 0x7ffc9098b780.

If you want to use Meltdown to read the contents of pass's memory, it's going to be a great deal more complicated than the toy proof-of-concept you've found. You'll need to figure out which physical memory address corresponds to pass's virtual address 0x7ffc9098b780, probe for the kernel's mapping of the physical address space, then read the appropriate part of physical memory.

Thanks! Can you point me in the direction how to find out the mapping of one process virtual memory to physical memory? — dev, Jan 09 '18 at 10:09

Meltdown - Reading Process Memory Data

1 Answers1