Fwd: Question about RSA key access mechanism

[Danis Ozdemir <ozdemird@xxxxxx>]

Hi all,

I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity College (Ireland) and I'm studying computer security. I'm trying to reproduce the meltdown attack as an effort to dive deep into the known attack types with some specific scenarios and "trying to see whether Meltdown could have been used against a web server making use of openssl libraries, running on an old, non-patched Linux kernel" is one of them. Please notice that the intentions are purely academic here, rather than performing a real attack.

Before investigating a more realistic scenario, I started with an 'open box' approach in which the openssl server process reveals the addresses of the sub fields of its private key (The private key and the certificate used below were created using the command 'openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout priv.pem -out cert.pem', so they are RSA based. And I just used good, old printf in the function "ssl_set_pkey" in the file "ssl/ssl_rsa.c"):

# LD_LIBRARY_PATH=${PWD} ./apps/openssl s_server -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www
Could not read params of DH parameters from my_keys/cert.pem
Using default temp DH parameters
DANIS - ssl_set_pkey - c->pkeys[0].privatekey : 0x55e4f9f01670  -  144
Danis - ssl_set_pkey - pkey->keydata->n       : 0x55e4f9f13d50
Danis - ssl_set_pkey - pkey->keydata->e       : 0x55e4f9f131e0
Danis - ssl_set_pkey - pkey->keydata->d       : 0x55e4f9f05790
Danis - ssl_set_pkey - pkey->keydata->p       : 0x55e4f9f05670
Danis - ssl_set_pkey - pkey->keydata->q       : 0x55e4f9f058b0
Danis - ssl_set_pkey - pkey->keydata->dmp1    : 0x55e4f9f18850
Danis - ssl_set_pkey - pkey->keydata->dmq1    : 0x55e4f9f13800
Danis - ssl_set_pkey - pkey->keydata->iqmp    : 0x55e4f9f13820
ACCEPT

Once the server is up and running, I get the real address of the sub field p using gdb:

# ps -ef | grep -v grep | grep openssl
adminq    1421  1280  0 16:55 pts/1    00:00:00 ./apps/openssl s_server -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www
# gdb
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) attach 1421
Attaching to process 1421
Reading symbols from /home/adminq/Workspace/openssl/apps/openssl...(no debugging symbols found)...done.
Reading symbols from /home/adminq/Workspace/openssl/libssl.so.3...(no debugging symbols found)...done.
Reading symbols from /home/adminq/Workspace/openssl/libcrypto.so.3...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/.build-id/d3/583c742dd47aaa860c5ae0c0c5bdbcd2d54f61.debug...done.
done.
Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/.build-id/e9/1114987a0147bd050addbd591eb8994b29f4b3.debug...done.
done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/.build-id/18/b9a9a8c523e5cfe5b5d946d605d09242f09798.debug...done.
done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/f2/5dfd7b95be4ba386fd71080accae8c0732b711.debug...done.
done.
0x00007efd06acd631 in __libc_accept (fd=4, addr=..., len=0x7ffca292907c) at ../sysdeps/unix/sysv/linux/accept.c:26
26 ../sysdeps/unix/sysv/linux/accept.c: No such file or directory.
(gdb) x/6x 0x55e4f9f05670
0x55e4f9f05670: 0xf9f06b70 0x000055e4 0x00000010 0x00000010
0x55e4f9f05680: 0x00000000 0x0000000d

(gdb) watch * (unsigned long *) 0x55e4f9f06b70
Hardware watchpoint 1: * (unsigned long *) 0x55e4f9f06b70
(gdb) c
Continuing.

So, this output tells me that the content of p starts from the address 0x55e4f9f06b70 and it's length is 16*sizeof(unsigned long) bytes as p is of type bignum_st which has the following layout:

struct bignum_st {

BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit

* chunks. */

int top; /* Index of last used d +1. */

/* The next are internal book keeping for bn_expand. */

int dmax; /* Size of the d array. */

int neg; /* one if the number is negative */

int flags;

};

When I define a watchpoint for that address to verify that it has been accessed when a new client connects to the server and make the server continue, I can't see a hit which means this address hasn't been accessed. I'm attaching the s_client output as a file, since it's longer compared to the outputs above.

I then dumped the whole non-executable pages that were allocated for this process using ptrace to see whether another copy of the key was present and I couldn't find any copies. So, either I'm doing something wrong (which is the case, most probably) or there's another area which contains another representation of the key for security reasons (given the fact that the raw key content is accessible in the RAM, this one seems less likely). Therefore, assuming I'm doing something wrong, if you could tell me what it is, I'd be grateful.

Best regards,

Danis Ozdemir

echo -n "GET / HTTP/1.0\r\n" | LD_LIBRARY_PATH=${PWD} ./apps/openssl s_client -connect localhost:54321
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org
verify return:1
---
Certificate chain
 0 s:C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org
   i:C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 28 21:32:12 2021 GMT; NotAfter: Dec 23 21:32:12 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqzCCApOgAwIBAgIURNumBsiWD33EpGvCJoxdeetqxAswDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCSUUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVcmVwcm9kdWNlbWVs
dGRvd24ub3JnMB4XDTIxMDMyODIxMzIxMloXDTIzMTIyMzIxMzIxMlowZTELMAkG
A1UEBhMCSUUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVcmVwcm9kdWNlbWVsdGRvd24ub3Jn
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoN5QELRefDLrPQJrzhwm
+n6R/pTITp3u3Q+bgf7peNt+0HO/iOqJGMiJ9fBl6fGq+4QOwKZ8TUe9Rf5S2d0F
78PCiO76dmppyWeZ7C0TDKzWx8EK0rAT+adx4IKP0L7b6aXOTZCy1Igf+FIAlSv7
fysmMx35PFc+qnWNVQ7NG/h+JgHf2GvE5c7yvxtf/0fCRc8yT8qcygrCCS/T3TZM
69JLoqLNsaZIVJWMfB/BToQd7EOM77Ts2qSAFAUjkM5vAU1ToGg1+dd3Ifu9Bh5p
GorZX+SBnSmOO6yFy5INgd9gH5W41yoOFHiZGYS2T7wgL/aWbKFsVXckiTf0F+Wu
vQIDAQABo1MwUTAdBgNVHQ4EFgQU7eD7oTB6h8BMRFG7INkv6zlag7AwHwYDVR0j
BBgwFoAU7eD7oTB6h8BMRFG7INkv6zlag7AwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAMLrbSK4HcDDt14fRnvKdoID30BCmAnGrJxDU2hGXdxeC
rl5Qbx9d+AtBoVEJi0eB45WnaY700ZBlhZq6O2t98OQgC6sE1keIsP0lEbQRfSkZ
FPYtPE1fZza3BekQxVfmFab5WU5pR/35TTCHj8frARHejk1gh7jnG25iZCYk1igh
CooUDLaw2TSdn/3z33yWiLl7TQp4x6Ee72rkAW+PCUFV7Je+mWRkLIX1WgJASA0t
kn5TM3epPv61RdIFotDvWbkJwFsjHi0u5A/GvxnBOYjhzgJVIF59DcPqKYAheNsy
FBIiEphsHMeXZL3RmuzPeNL9E0hBaYGzCdD++MV7zQ==
-----END CERTIFICATE-----
subject=C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org

issuer=C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1499 bytes and written 377 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 47FFCE934A50DBE3FBA670BB4FBE8EB180D8C3728B99613E4A1FD4A96A199E15
    Session-ID-ctx: 
    Resumption PSK: 8707B96581DAF33C21A39F8216F83062CE976BCC7CFE1E69702668BB784C2EF961114B81CD758E3A2B6313679DCCEB84
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a0 16 0b 29 58 fb 34 83-62 88 76 77 f2 de d4 dd   ...)X.4.b.vw....
    0010 - 9d ce a3 59 0e e2 4c c8-a7 54 fc 71 8c ea 21 cf   ...Y..L..T.q..!.
    0020 - 18 6c 60 ed 38 cc 3e cc-47 7a d1 cc 7c f2 19 80   .l`.8.>.Gz..|...
    0030 - 20 85 fb d2 85 e3 22 f7-97 27 76 9f 47 a9 1c cd    ....."..'v.G...
    0040 - f1 b0 ac f4 58 2f cd ec-12 57 86 bc 77 f2 63 af   ....X/...W..w.c.
    0050 - 97 f2 7d 92 41 17 29 e0-37 23 0d 49 d1 6d 0f b9   ..}.A.).7#.I.m..
    0060 - b4 7d d1 61 79 04 25 50-1b a4 f4 e5 b2 e0 d7 7b   .}.ay.%P.......{
    0070 - 2a d0 17 59 fa 0c 28 67-31 26 a4 29 0a 2d 01 7d   *..Y..(g1&.).-.}
    0080 - 39 28 8c 73 7f 64 48 d9-39 b6 f8 8c 56 6a fc 48   9(.s.dH.9...Vj.H
    0090 - ca f7 54 f5 76 d4 16 87-2a 07 89 c3 10 de e1 ff   ..T.v...*.......
    00a0 - fe 7b 9c 89 71 da c2 16-11 8a 58 dd 0f 83 0f bf   .{..q.....X.....
    00b0 - b8 a6 26 76 3f e8 c0 b3-98 08 16 99 6a d5 de 17   ..&v?.......j...

    Start Time: 1618156631
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0E84FCD59606B36F71358DF304AC7C57BCDA93F80F8F816220FACD45EFA3027E
    Session-ID-ctx: 
    Resumption PSK: 3F2EA2506F0EDC88C83BD658B1B4B0B8B51E3FCCD46B7A6A97E4B1630FE768CE7AE02D0EC7E125DDF803A17C74190237
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a0 16 0b 29 58 fb 34 83-62 88 76 77 f2 de d4 dd   ...)X.4.b.vw....
    0010 - 6b 68 1e 9f 3e 80 d5 83-47 3a 01 cf ea 6c 50 44   kh..>...G:...lPD
    0020 - 1d 6a a7 71 b5 1b 55 fa-72 92 89 79 00 a3 a9 b4   .j.q..U.r..y....
    0030 - 05 8e be a2 f6 0d 2e 4a-3b 5e 08 3f 4d d2 83 1a   .......J;^.?M...
    0040 - a9 5e 50 60 fa 03 ee a0-5d fa 34 20 03 93 25 5d   .^P`....].4 ..%]
    0050 - 53 ed 82 ca ae cb 44 92-53 fe 51 8a da 5f d8 7b   S.....D.S.Q.._.{
    0060 - 35 84 2e d9 68 14 6d e7-67 e8 79 1d 9a 1d 99 d8   5...h.m.g.y.....
    0070 - 0f 6d 51 fb cd 01 f4 74-53 67 ac ed 36 96 a3 e6   .mQ....tSg..6...
    0080 - e8 14 1c e0 08 55 f3 9e-01 d6 74 aa ff df f3 35   .....U....t....5
    0090 - 30 40 7d c1 5f 16 14 d2-76 bc 6b 8c 38 c9 39 12   0@}._...v.k.8.9.
    00a0 - df b7 46 ed 76 42 3b 74-53 d7 b1 aa 24 19 77 f1   ..F.vB;tS...$.w.
    00b0 - a1 8f 2f 17 73 03 cf bc-5c a4 2c 42 17 cd 1e 8c   ../.s...\.,B....
    00c0 - bf 2e 1b 2b 0a 85 05 68-76 44 e8 74 c9 95 16 c7   ...+...hvD.t....

    Start Time: 1618156631
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE