Twenty Year Anniversary

Samsung RKP Kernel Protection Bypass

Samsung RKP Kernel Protection Bypass
Posted Mar 29, 2017
Authored by Google Security Research, laginimaineb

Samsumg suffers from an RKP kernel protection bypass via lack of MSR trapping on Qualcomm devices.

tags | advisory, kernel
MD5 | b5c4ef10d1a12872e9129f24e017bee2

Samsung RKP Kernel Protection Bypass

Change Mirror Download
 Samsung: RKP kernel protection bypass via lack of MSR trapping on Qualcomm devices  

As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.

In order to prevent EL0 and EL1 code from creating disallowed memory mappings (e.g., disabling PXN on areas not in the kernel text or enabling write permissions to a kernel code page), RKP employs a system through which all modifications to the S1 translation table are validated by the hypervisor. Moreover, RKP marks the EL0 and EL1 translation tables as read-only in the stage 2 translation table for EL0/1.

On devices based on the Exynos SoC, RKP sets the TVM bit in HCR_EL2 in order to trap all requests to modify memory management control registers in EL1. These requests can then be processed according to the policy enforced by RKP in order to make sure they comply with the "allowed" set of memory mappings.

However, on Qualcomm devices RKP does not set the TVM bit, allowing all MSRs from EL1 to be executed without trapping into EL2. This allows an attacker to subvert RKP's memory mapping policies.

As noted in previous reports, an attacker may modify the value of TTBR1 in order to set locations other than kernel memory as executable (removing PXN), thus allowing the execution of arbitrary code in the kernel (without tripping kernel integrity checks). Moreover, there is no shortage of MSR opcodes which are executable from EL1, since all RKP code is freely executable from EL1 (also noted in previous reports).

I've dynamically verified this issue by examining the value of HCR_EL2 in the RKP debug log (/proc/tima_debug_rkp_log), on a fully updated Galaxy S7 (G930U). I've also verified that the HYP binary does not contain trap handlers for emulation of opcodes trapped by HCR.TVM.

This issue can be addressed by setting HCR.TVM and implementing trap handlers in EL2 for MSRs to sensitive memory management control registers executed by EL1.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Found by: laginimaineb


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    3 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By