This repository contains the source code for the CCS'22 paper "DangZero: Efficient Use-After-Free Detection via Direct Page Table Access" by Floris Gorter, Koen Koning, Herbert Bos and Cristiano Giuffrida.
The paper is available for download here.
NOTE: (docker container takes about 25 GB disk space)
cd kml-image
bash build_kml.shcd ../
wget https://releases.ubuntu.com/20.04/ubuntu-20.04.5-desktop-amd64.isoqemu-img create -f qcow2 ubuntu.img 60GNOTE: these commands assume username 'u16'
qemu-system-x86_64 -cdrom ubuntu-20.04.4-desktop-amd64.iso -drive "file=ubuntu.img,format=qcow2" -enable-kvm -m 16G -smp 16qemu-system-x86_64 -drive "file=ubuntu.img,format=qcow2" -enable-kvm -m 16G -smp 16 -cpu host -net nic -net user,hostfwd=tcp::1810-:22On the Guest (VM):
apt-get install openssh-serverOn the Host:
scp -P 1810 kml-image/linux-*.deb u16@localhost:~/
cd ~/
sudo dpkg -i linux-*.debWhen not using a GUI for the VM, edit /etc/default/grub:
GRUB_DEFAULT="1>4" # depends on menu entries of grub
#GRUB_TIMEOUT_STYLE=hidden # comment out
GRUB_TIMEOUT=2 # if you want to see menu entries with GUI
Some systems may require the following boot param for booting KML (for GUI/tty).
edit /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="vga=normal"
# Add console=ttyS0 if you want to run without GUI
GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 vga=normal"
# Add make-linux-fast-again for performance:
GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 vga=normal noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"
Suggested flags for -cpu host: at least -pdpe1gb (for DangZero performance), -avx,-f16c,-avx512f in case the kernel crashes on boot, e.g.:
qemu-system-x86_64 -drive "file=ubuntu.img,format=qcow2" -enable-kvm -m 8G -smp 16 -cpu host,-avx,-f16c,-avx512f,-pdpe1gb -nographic -serial mon:stdio -net nic -net user,hostfwd=tcp::1810-:22Create the /trusted directory (may need sudo).
Create an example test.c file:
#include <stdio.h>
#include <stdint.h>
void main(){
uint64_t cs = 0;
int ring;
asm("mov %%cs, %0" : "=r" (cs));
ring = (int)(cs&3);
printf("running in ring %d\n", ring);
}Run the program inside /trusted and outside. Expected output:
$ gcc test.c -o test
$ /trusted/test
running in ring 0
$ /home/u16/test
running in ring 3cd /trusted/
mkdir glibc
cd glibc
wget https://ftp.gnu.org/gnu/glibc/glibc-2.31.tar.gz
tar -xf glibc-2.31.tar.gzMove the glibc patch to the VM:
scp -P 1810 patchglibc.diff u16@localhost:/trusted/glibc/glibc-2.31/cd /trusted/glibc/glibc-2.31
patch -i patchglibc.diff -p 1
mkdir build
cd build
sudo apt-get install bison gawk -y
../configure --prefix=/trusted/glibc/
make -j `nproc`
make installThe KML kernel requires an old gcc version for compatibility with the kernel module.
echo -e "deb http://dk.archive.ubuntu.com/ubuntu/ xenial main\ndeb http://dk.archive.ubuntu.com/ubuntu/ xenial universe" | sudo tee -a /etc/apt/sources.list
sudo apt-get update
sudo apt install gcc-5
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 50
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 90
sudo update-alternatives --config gcc
# select gcc-5cd kmod
make
sudo insmod dangmod.koMake sure to select gcc-9 again as primary gcc
Make sure the DangZero git files also exist in the VM (e.g., dz.c)
bash test.sh