Demonstrate ability to read memfd_secret() data from the kernel

Overview

nosecmem

This project demonstrates the newly-added memfd_secret Linux system call, and a kernel module which can dump the contents of these so-called "secret" memory areas.

Background

Certain media outlets have over-hyped the feature, claiming that it provides for a secret memory area which is

inaccessible to the kernel (and to anybody who might be able to compromise the kernel),

While the pages are removed from the kernel direct map (a global 1:1 mapping of physical memory to virtual memory), it's a bit of a stretch to say that the memory is completely inaccessible to the kernel — the very thing that implements the mechanism in question.

The man page is a bit more pragmatic, indicating that memfd_secret() mappings provide

...stronger protection than usual RAM-based files and anonymous memory mappings. The memory areas backing the file created with memfd_create(2) are visible only to the contexts that have access to the file descriptor These areas are removed from the kernel page tables and only the page tables of the processes holding the file descriptor map the corresponding physical memory.

David Hildenbrand (a RedHat engineer who reviewed the patchset) correctly speculates:

I‘d like to note that secretmem does not protect against kernel exploits or against root in most setups getting hold of that data. Once you‘re already in the kernel, you might just be able to remap the pages.

And that is exactly what this project does.

Disclaimers

Don't use this code on a production machine:

  • It delibarately circumvents a kernel security measure!
  • It probably has bugs which can crash your machine and/or corrupt your data.

By no means am I discrediting Mike Rapoport or his work — the feature seems to do exactly what it is intended to do: Provide stronger guarantees about the protection of the memory. The intent of this project is to ensure that its limitations are well-understood.

Tested on v5.14-rc5-221-gdfa377c35d70.

Usage

Prerequisites

  • You need to be running a v5.14-rc1 or newer kernel.
  • You need to boot your kernel with the command-line option secretmem.enable=1.
  • You need SCons (for the test app), GCC, Make, and kernel headers.

Build Test App

$ cd user/
$ scons
  <or>
$ gcc -Wall -Werror -o testapp testapp.c

Build Kernel Module

$ cd kernel/
$ vim Makefile
  <Edit `Makefile` to point `KDIR` at your kernel headers>
$ make

Testing

In one terminal, load the module and watch kernel output:

$ sudo insmod kernel/nosecmem.ko
$ sudo dmesg --human --follow

In another terminal, run the test app and trigger its inspection:

$ user/testapp &
PID: 592
Copied 13 bytes to secret area 0x7f2eab17f000
Waiting...

$ echo $(pidof testapp) > /proc/nosecmem

If all goes well you should see this in the dmesg output:

nosecmem: Write a PID to /proc/nosecmem to see all of the "secret memory" areas for that process.
nosecmem: Inspecting task 592 [testapp]
nosecmem: Found secretmem file size 13 at vma 0x7F2EAB17F000-0x7F2EAB180000
nosecmem:   00000000: 53 65 63 72 65 74 20 64 61 74 61 21 00           Secret data!.
You might also like...
A kernel module to provide /system/xbin/su to Android Kernel (especially to WSA)

WSA-Kernel-SU Intro This is a kernel module to provide /system/xbin/su to Android Kernel (especially to WSA). Only works on 4.17+ kernel. For older ke

NetHunter Kernel for the OnePlus 7 Series based on DragonHeart Kernel

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time

toy-kernel a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time prereq

A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat

split-rss-counting-patch A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat. Why? Read

RemixDB: A read- and write-optimized concurrent KV store. Fast point and range queries. Extremely low write-amplification.

REMIX and RemixDB The REMIX data structure was introduced in paper "REMIX: Efficient Range Query for LSM-trees", FAST'21. This repository maintains a

ESP32 firmware to read and control EMS and Heatronic compatible equipment such as boilers, thermostats, solar modules, and heat pumps
ESP32 firmware to read and control EMS and Heatronic compatible equipment such as boilers, thermostats, solar modules, and heat pumps

EMS-ESP is an open-source firmware for the Espressif ESP8266 and ESP32 microcontroller that communicates with EMS (Energy Management System) based equipment from manufacturers like Bosch, Buderus, Nefit, Junkers, Worcester and Sieger.

Haxe native extension to read and write windows clipboard.

Haxe Clipboard This is a native library to read and write clipboard data from Haxe. It uses Ammer to generate bindings. Note: This is a Windows only l

This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32
This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32

ESP32 nRF52 SWD flasher This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32 using t

Exploit allowing you to read registry hives as non-admin on Windows 10 and 11
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

Owner
Jonathon Reinhart
Jonathon Reinhart
This repository contains toy ImPlot applications that demonstrate some of the library's functionality

ImPlot Demos This repository contains toy ImPlot applications that demonstrate some of the library's functionality.

Evan Pezent 83 Dec 28, 2022
Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

null 198 Dec 1, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 55 Jul 21, 2022
C#-like properties for C++20. This was made to demonstrate a bug in ClangFormat.

cpp20-property C#-like properties for C++20. Example usage #include <iostream> #include <Propery.hpp> class ProperyTest { public: zsl::Property<

iFarbod 6 Dec 13, 2022
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

null 10 Nov 9, 2022
This is the source code for for the Plugin GAS Associate, that is supposed to make your life easier while using Unreal's Gameplay Ability System.

GASAssociate Description: This is the source code for for the Plugin GAS Associate, that is supposed to make your life easier while using Unreal's Gam

Malik Sahab 22 Dec 14, 2022
Pty for Flutter. Provides the ability to create processes with pseudo terminal file descriptors.

flutter_pty This is an experimental package to explore the possibilities of using native code to implement PTY instead of pure FFI and blocking isolat

null 7 Nov 24, 2022
Using a RP2040 Pico as a basic logic analyzer, exporting CSV data to read in sigrok / Pulseview

rp2040-logic-analyzer This project modified the PIO logic analyzer example that that was part of the Raspberry Pi Pico examples. The example now allow

Mark 62 Dec 29, 2022
This is a tool for software engineers to view,record and analyse data(sensor data and module data) In the process of software development.

![Contributors][Huang Jianyu] Statement 由于工具源码在网上公开,除使用部分开源项目代码外,其余代码均来自我个人,工具本身不包含公司的知识产权,所有与公司有关的内容均从软件包中移除,软件发布遵循Apache协议,任何人均可下载进行修改使用,如使用过程中出现任何问

HuangJianyu 36 Dec 25, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 157 Jan 2, 2023