nsacyber/Maplesyrup nsacyber/Maplesyrup

  • This repository has been archived on 12/May/2018
  • Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    C
  • License
    Other
  • Created over 9 years ago
  • Updated over 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nsacyber/Maplesyrup
github

nsacyber

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Assesses CPU security of embedded devices. #nsacyber

Maplesyrup Register Display Tool

Maplesyrup is a tool that can be used to help determine the security state of an ARM-based device by examining the system register interface of the CPU.

Who is this for?

Maplesyrup is for anyone who has low level access to a handset or single-board PC running an ARMv7A/v8A based processor and is interested in knowing the register level configuration of their CPU at OS runtime. These registers contain featureset and security information that may influence operation of the system kernel and running applications.

Why was this created?

Linux provides featureset and platform information to the user in the /proc and /sys filesystems, but the configurations governing how these features operate is sometimes hidden to the user. In some cases, the OS will make use of the information to conform to implementation specific features and not indicate this to the user. In other cases, these features may not be managed by the operating system at all, but nevertheless could potentially affect the operation of the system by configuring how a CPU controls access to security domains, executes specific instructions, and handles CPU exceptions.

How does it work?

Maplesyrup consists of a kernel driver and a user mode component. The kernel driver collects the information and returns it to the user mode component which parses the information and presents it to the user.

What can I do with the results?

The results will show the low level operating configuration of the system, and can be used to help determine the security state of a device. They may include security settings such as the status of Virtualization Extensions, Security Extensions and coprocessor access restrictions. A few specific examples are listed below:

  • The UWXN and WXN fields within the SCTLR register on ARMv7A based processors will affect how the Execute Never (XN) feature will operate.
  • The Domain Access Control Register (DACR) defines access permissions for each of the 16 memory domain regions.
  • The coprocessor Access Control Register (CPACR) can be used to determine whether a coprocessor is implemented and what it's access controls are.
  • Trap information details the execution level certain exceptions will be taken to and which stack pointer will be used (for AARCH64).
  • Debug Architecture access permissions

What do the results represent?

The data stored in the system registers may or may not represent how the chip actually operates and the nature of the value is entirely defined by the vendor implementing the device. In addition, some registers will be read at boot time and the results stored to memory. In these cases, manually flipping the bit after the OS has booted will likely not have any effect. Another thing to note is that several registers report information that is relevant to a procedure and may have no further relevance once that procedure has completed.

Features/Limitations

  • Multi-core support
  • Memory-mapped system registers are currently not supported
  • Only EL0/EL1 are supported
  • Support for Cortex A7/A15/A53/A57
  • Support for memory-mapped devices

This application reads only a small portion of the available system registers on an ARM CPU. Please refer to the ARMv7A and ARMv8A Architecture Manuals and the appropriate Cortex TRM for official documentation.

WARNING: This application and kernel module are to be used only on test systems. Leaving the kernel module installed on a non-test system will compromise the system's security.

Platforms Tested

  • Galaxy S5 Exynos Variant
  • ODROID-XU3
  • HOWCHIP 5250 Ver. C
  • Versatile Express-A9 (QEMU)
  • Android Goldfish 3.4 (QEMU)
  • Versatile JUNO Development Platform
  • Raspberry PI 2

Requirements

  • Ubuntu 14.04
  • sudo apt-get install libtool autoconf
  • Toolchain for target architecture (if cross compiling) to build usermode and kernel components
    • arm-linux-gnueabi for 32-bit
    • aarch64-linux-gnu for 64-bit
    • arm-linux-androideabi for Android
  • Kernel source tree (required for kernel module build)
  • Linux based device with root access and the ability to load unsigned kernel modules

Directory Structure

./common - Files common to both the kernel module and user mode component
./lib    - The user mode parsing library
./module - The kernel module
./frontend - Entry point and command line parsing

Final build executables will be './frontend/maplesyrup' and './module/maplesyrup_mod.ko'

Build Instructions

Native ARM Compilation

    Run autogen.sh
    ./configure LDFLAGS="-static" 
    make
    cd module   
    export KERNEL_SRC=<path to kernel source tree>
    make

ARM Cross-Compilation

    Run autogen.sh
    Ensure path to toolchain binaries is in PATH (PATH=$PATH:/path/to/toolchain)
    ./configure --host=arm-linux-gnueabi LDFLAGS="-static" (for 32bit)
            --OR--
    ./configure --host=aarch64-linux-gnu LDFLAGS="-static" (for 64bit)
    make  
    cd module
    export ARCH=arm (or arm64)
    export CROSS_COMPILE=arm-linux-gnueabi- (or aarch64-linux-gnu-)
    export KERNEL_SRC=<path to kernel source tree>
    make

Android Compilation

    Requirements: The device must be rooted and the kernel must be configured for loadable kernel modules.

    Download Android NDK
    
    export CROSS_COMPILE=arm-linux-androideabi
    export CC=${CROSS_COMPILE}-gcc
    export CXX=${CROSS_COMPILE}-g++
    export NDK=<path to>/android-ndk-r10d/
    export SYSROOT=$NDK/platforms/android-21/arch-arm
    PATH=$PATH:$NDK/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin
    
    Run autogen.sh
    ./configure --host=arm-linux-androideabi CFLAGS="--sysroot=$SYSROOT" LDFLAGS="-static"
    make
    cd module
    export ARCH=arm
    export CROSS_COMPILE=arm-linux-gnueabi-
    export KERNEL_SRC=<path to android kernel source tree>
    make

General Installation Instructions

  • Installation on a native ARM system is a simple 'sudo make install'. The kernel module can be installed with the typical loadable module routines.

  • Installation onto a virtual machine or ARM-based test system involves transferring the 'maplesyrup' executable and the 'maplesyrup_mod.ko' module to the system via 'scp' or similar utility.

  • Installation on an Android based handset requires root access and the ability for the kernel to load unsigned kernel modules. Once you have this, installation is simply copying (via an SD card) the cross-compiled user mode component to '/system/bin'. The kernel module can be loaded directly from the SD card. These Android instructions have only been tested on a Galaxy S5 and may differ from handset to handset.

  • Make sure to 'rmmod maplesyrup_mod' when done to unload the kernel module. Failure to do this may leave the system in an unsafe state.

Usage Instructions

Usage: maplesyrup --<register|group|bitfield|all> <NAME or ID> --arch=<ARCH> --impl=<IMPL or all> [--core=<CORE or -1>] [OTHER OPTIONS]

  --arch - armv7a or armv8a
  --impl - cortex-a7, cortex-a15, cortex-a53, cortex-a57, or all
  --core - core number, or -1 for all cores
  --calc - supply register value. Use with --register <regname>
  --help - show this menu
  --group - search by group
  --register - search by register
  --bitfield - search by bitfield
  --all - search all available bitfields
  --noparse - don't parse the results into bitfields
  --showfail - show all results regardless of success
  --el0 - force execution at pl0
  --el1 - force execution at pl1
  --devices - include memory-mapped devices (memory intensive)
  --show_groups - shows all valid functional groups
  --show_bitfields - shows all valid bitfields
  --show_registers - shows all valid register

Examples:
    (1) maplesyrup --register MIDR --arch=armv7a --impl=all
        to display the MIDR register
    (2) maplesyrup --all --arch=armv7a --impl=all
        to display the all registers
    (3) maplesyrup --register MIDR --arch=armv7a --impl=all --calc=0x410fc073
        supply a value

    Sample output 
    > maplesyrup --register MIDR --arch=armv7a --impl=all --core=0
    
    ============================
    || Maplesyrup 1.0         ||    
    ||    -linux              ||
    ||    -aarch32            ||
    ||                        ||
    || 000005/000040 entries  ||
    ============================
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/03:00/Revision]: 0x3 (Revision) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/15:04/Primary part number]: 0xc07 (Primary part number) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/19:16/Architecture]: 0xf (Architecture) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/23:20/Variant]: 0x0 (Variant) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/31:24/Implementer]: 0x41 (Implementer) (0)
      |      |        |    |   |     |     |       |          |        |         |
      |      |        |    |   |     |     |       |          |        |         |
     Core #  |        |    |   |     |     |       |          |        |         |
         Part number  |    |   |     |     |       |          |        |         |
     The decode table used |   |     |     |       |          |        |         |
           The exception level |     |     |       |          |        |         |
                The functional group |     |       |          |        |         |
                         The register name |       |          |        |         |
                    The bitfield size and position |          |        |         |
                                             The field name   |        |         |
                                                 Actual result value   |         |
                                                            A brief description  |
                                                                            Result validity

  • Only valid results will typically be displayed, but invalid results can be shown with the --showfail flag. This could help in debugging why a certain register could not be read. Errors could be any of the following:

    MS_ERROR_SUCCESS    = 0,    // Success!
MS_ERROR_ILLINST    = 1,    // Illegal instruction
MS_ERROR_UNDEFINST  = 2,    // Undefined instruction
MS_ERROR_SMP        = 3,    // Unable to bring CPU up
MS_ERROR_SMP_SINGLE = 4,    // Unable to schedule thread on CPU
MS_ERROR_NORESULT   = 5,    // CPU does not exist, or was not requested
MS_ERROR_TABLE      = 6,    // Problem reading the decode table

  • The actual result value is typically going to be the default "reset" value as recommended by the vendor. If it's not, for example if all access restrictions for all the memory domains is set to 0x3 on a commercial handset device, then that may be something worth investigating. Typically, 0x1 (or any non-zero value) means that a setting is "on" or active. A 0x0 means that the setting is "off" or not implemented. Of course, to determine specifically what a value means, you currently have to consult the appropriate Technical Reference Manual for your processor.

  • Most field names were chosen to match those found in various ARM documents. In cases where an abbreviated field name could not be found then a reasonable acronym was created from the description of the bit's function. Similarly for group names, in cases where a functional group for a register could not be found, then it was either assigned to the "impl_def" (implementation defined) group or the "other" group. Also, RAZ, RES0, RA0 and RES1 fields are simply referred to as "Reserved".

  • The bitfield size and position represents the starting and stopping points within the register value that the decoding represents. Parsing into fieldnames can be disabled with the --noparse flag.

  • Register naming conventions follow the ARMv7A architecture. If there is a direct mapping between an ARMv8A register and an ARMv7A register, then the ARMv7A name is used. If there is no direct mapping, then the register is prefixed with "AA64" (for example, "AA64MMFR0"). The exception level typically appended to ARMv8A registers, and any register prefix such as "ID_" has been omitted (for example, ID_AARCH64MMFR0_EL1 will just be AA64MMFR0).

  • For Linux, the exception level indicates whether the register was accessed in user mode (0) or kernel mode (1). In most cases, the register will be accessed in the mode that requires the least amount of privilege and still return defined results. On 32-bit chips, it is possible to specify a desired exception level with the --el0 or --el1 flags. This feature on aarch64 systems is currently incomplete.

  • The decode table used indicates which Maplesyrup internal table was used to parse the 32bit or 64bit register value. The part number is the actual Cortex type (called a "part number" internally) reported by the chip itself. Registers accessed at EL0 will have a NULL part number.

  • Core number is the core the registers were accessed on. Multi-core systems may have a different set of available registers for each cluster. Maplesyrup is configured to support 8 cores, but can be changed to support more through the MS_MAX_CPUS #define in 'parse.h'. Registers accessed at EL0 (user mode in Linux) will have a core number of 0 and is not indicative of the actual core the code was run on.

  • Maplesyrup does not intend to represent an exhaustive list of all coprocessor registers accessible via the MRC and MRS instructions, and any obvious exclusion should not be read as intentional. There are a lot of registers and any one could have been unintentionally skipped or misidentified.

  • There is no guarantee that any of the above statements are complete or true, or that the results returned by Maplesyrup are correct, accurate or meaningful.

How do I add my own bitfield decoding?

Bitfield decodings are statically programmed into the application, but can easily be expanded to include new or missing decodings. The relevant files you may need to modify are listed below:

  • ./lib/src/parse_breakout.c

The following files may need to be modified if a new register needs to be added:

  • ./common/jumptable.c
  • ./common/parse.h

The actual decode tables are stored under

  • ./lib/src/bitfields/ and follow the naming convention bitfield_*.c/h.

License

This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976.

Copyright and Related Rights in the Work worldwide are waived through the CC0 1.0 Universal license.

Disclaimer of Warranty

This Work is provided "as is." Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Guidance, even if advised of the possibility of such damage.

The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, and infringement or other violations of intellectual property or technical data rights.

Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.

Disclaimer of Endorsement

Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.

More Repositories

1

Windows-Secure-Host-Baseline

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
HTML
1,538
star
2

WALKOFF

A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber
Python
1,191
star
3

goSecure

An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi. #nsacyber
Python
971
star
4

Mitigating-Web-Shells

Guidance for mitigation web shells. #nsacyber
YARA
951
star
5

GRASSMARLIN

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Java
910
star
6

Event-Forwarding-Guidance

Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
PowerShell
840
star
7

Hardware-and-Firmware-Security-Guidance

Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance. #nsacyber
C
748
star
8

ELITEWOLF

OT security monitoring #nsacyber
560
star
9

Windows-Event-Log-Messages

Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber
C#
392
star
10

Mitigating-Obsolete-TLS

Guidance for mitigating obsolete Transport Layer Security configurations. #nsacyber
PowerShell
269
star
11

nsacyber.github.io

NSA Cybersecurity. Formerly known as NSA Information Assurance and the Information Assurance Directorate
PowerShell
257
star
12

AppLocker-Guidance

Configuration guidance for implementing application whitelisting with AppLocker. #nsacyber
PowerShell
204
star
13

Pass-the-Hash-Guidance

Configuration guidance for implementing Pass-the-Hash mitigations. #nsacyber
PowerShell
196
star
14

HIRS

Trusted Computing based services supporting TPM provisioning and supply chain validation concepts. #nsacyber
Java
171
star
15

simon-speck

The SIMON and SPECK families of lightweight block ciphers. #nsacyber
167
star
16

unfetter

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework. #nsacyber
163
star
17

Control-Flow-Integrity

A proposed hardware-based method for stopping known memory corruption exploitation techniques. #nsacyber
C
152
star
18

BAM

The Binary Analysis Metadata tool gathers information about Windows binaries to aid in their analysis. #nsacyber
Python
146
star
19

WALKOFF-Apps

WALKOFF-enabled applications. #nsacyber
YARA
141
star
20

RandPassGenerator

A command-line utility for generating random passwords, passphrases, and raw keys. #nsacyber
Java
118
star
21

BitLocker-Guidance

Configuration guidance for implementing BitLocker. #nsacyber
HTML
113
star
22

Certificate-Authority-Situational-Awareness

Identifies unexpected and prohibited certificate authority certificates on Windows systems. #nsacyber
PowerShell
107
star
23

netfil

A kernel network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
103
star
24

LOCKLEVEL

A prototype that demonstrates a method for scoring how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
JavaScript
99
star
25

HTTP-Connectivity-Tester

Aids in discovering HTTP and HTTPS connectivity issues. #nsacyber
PowerShell
96
star
26

Splunk-Assessment-of-Mitigation-Implementations

Automatically scores how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
Python
72
star
27

netman

A userland network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
71
star
28

serial2pcap

Converts serial IP data, typically collected from Industrial Control System devices, to the more commonly used Packet Capture (PCAP) format. #nsacyber
Python
65
star
29

PRUNE

Logs key Windows process performance metrics. #nsacyber
C#
62
star
30

paccor

The Platform Attribute Certificate Creator can gather component details, create, sign, and validate the TCG-defined Platform Credential. #nsacyber
Java
53
star
31

Blocking-Outdated-Web-Technologies

Guidance for blocking outdated web technologies. #nsacyber
PowerShell
51
star
32

Detect-CVE-2017-15361-TPM

Detects Windows and Linux systems with enabled Trusted Platform Modules (TPM) vulnerable to CVE-2017-15361. #nsacyber
PowerShell
49
star
33

Driver-Collider

Blocks drivers from loading by using a name collision technique. #nsacyber
C
45
star
34

simon-speck-supercop

Fast implementations of the SIMON and SPECK lightweight block ciphers for the SUPERCOP benchmark toolkit. #nsacyber
C
43
star
35

Cyber-Challenge

Supporting files for cyber challenge exercises. #nsacyber
Jupyter Notebook
39
star
36

Chinese-State-Sponsored-Cyber-Operations-Observed-TTPs

Supporting files for the Chinese State-Sponsored Cyber Operations: Observed TTPs Cybersecurity Advisory. #nsacyber
34
star
37

AtomicWatch

Intel Atom C2000 series discovery tool that parses log files and returns results if a positive match is found. #nsacyber
Python
25
star
38

CodeGov

Creates a code.gov code inventory JSON file based on GitHub repository information. #nsacyber
PowerShell
22
star