Add tdx memory_attack demo for Pentests (#273)

intel · Mar 13, 2024 · 9bc7aab · 9bc7aab
1 parent 264fea6
commit 9bc7aab
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 5 deletions.
diff --git a/cczoo/penetration_testing/memory_attack/tdx/key_generator/README.md b/cczoo/penetration_testing/memory_attack/tdx/key_generator/README.md
@@ -0,0 +1,42 @@
+# Key Generator Application Memory Attack
+
+## Introduction
+
+This application is generating keys in VM's memory.
+
+It will use the same code to run into Non-TDX VMs and TDX VMs, and perform memory attacks on them to verify the confidentiality of TDX VM memory.
+
+![](key_generator.svg)
+
+## Application Deployment
+
+1. Start Non-TDX or TDX VM (QEMU-KVM).
+
+2. Run app into VM.
+
+    ```
+    python3 -u ./key_generator.py
+    ```
+
+## Hacker Memory Attack
+
+1. Dump VM's memory via gdb:
+    ```
+    rm -rf core.*
+    gdb -ex "generate-core-file" -ex "set confirm off" -ex "quit" -p `pgrep -f qemu-kvm`
+    ```
+
+2. Parse and find key from dumped file:
+    ```
+    strings ./core.* | grep -n uuid
+    ```
+
+    Corresponding output:
+
+    - Non-TDX VM
+        ```
+        16152:{'uuid35139113': '3hf!tj9da9wbwy18', 'uuid16913511': 'ukb2tvdq@etii0@7', 'uuid06450037': 'vi#9qnxvr*rwbq61', 'uuid39123227': '%an$ggjd13jrf3p1', 'uuid42881267': 'g%wtfce&4h6&u$h6'}
+        ```
+    - TDX VM
+
+        None output.
diff --git a/cczoo/penetration_testing/memory_attack/tdx/key_generator/key_generator.py b/cczoo/penetration_testing/memory_attack/tdx/key_generator/key_generator.py
@@ -0,0 +1,26 @@
+import random, time
+
+kv_dict = {}
+
+key_choice = '1234567890'
+value_choice = '1234567890abcdefghijklmnopqrstuvwxyz!@#$%^&*()'
+
+def gen_rand_chr(choice):
+    return random.choice(choice)
+
+def gen_rand_str(choice, length):
+    return ''.join([gen_rand_chr(choice) for _ in range(length)])
+
+def generate_kv_pair():
+    kv = {
+        "uuid" + gen_rand_str(key_choice, 8) : gen_rand_str(value_choice, 16)
+    }
+    kv_dict.update(kv)
+
+for _ in range(5):
+    generate_kv_pair()
+
+print(kv_dict)
+
+while True:
+    time.sleep(5)
diff --git a/cczoo/penetration_testing/memory_attack/tdx/key_generator/key_generator.svg b/cczoo/penetration_testing/memory_attack/tdx/key_generator/key_generator.svg
diff --git a/documents/readthedoc/docs/source/Pentests/Overview.md b/documents/readthedoc/docs/source/Pentests/Overview.md
@@ -19,15 +19,25 @@ Data theft is to verify the memory confidentiality of SGX runtime, memory attack
 
         ![](unauthorized_access/redis/redis.svg)
 
-        Please refer to [redis/index.html](https://cczoo.readthedocs.io/en/latest/Pentests/unauthorized_access/redis/index.html) for detail.
+        Please refer to this [link](https://cczoo.readthedocs.io/en/latest/Pentests/unauthorized_access/redis/index.html) for detail.
 
 2. Memory Attack:
     - Key generator
 
-        This application is generating keys in memory and implemented based on the Intel SGX SDK.
+        This application is generating keys in memory.
 
-        It will use the same source code to compile SGX applications and non-SGX applications, and perform memory attacks on them to verify the confidentiality of SGX runtime memory.
+        - SGX
 
-        ![](memory_attack/sgx/key_generator/key_generator.svg)
+            It will use the same source code to compile SGX applications and non-SGX applications, and perform memory attacks on them to verify the confidentiality of SGX runtime memory.
 
-        Please refer to [key_generator/index.html](https://cczoo.readthedocs.io/en/latest/Pentests/memory_attack/sgx/key_generator/index.html) for detail.
+            ![](memory_attack/sgx/key_generator/key_generator.svg)
+
+            Please refer to this [link](https://cczoo.readthedocs.io/en/latest/Pentests/memory_attack/sgx/key_generator/index.html) for detail.
+
+        - TDX
+
+            It will use the same source code to run into Non-TDX VMs and TDX VMs, and perform memory attacks on them to verify the confidentiality of TDX VM memory.
+
+            ![](memory_attack/tdx/key_generator/key_generator.svg)
+
+            Please refer to this [link](https://cczoo.readthedocs.io/en/latest/Pentests/memory_attack/tdx/key_generator/index.html) for detail.
diff --git a/documents/readthedoc/docs/source/Pentests/memory_attack/tdx/key_generator/index.md b/documents/readthedoc/docs/source/Pentests/memory_attack/tdx/key_generator/index.md
@@ -0,0 +1,42 @@
+# Key Generator Application Memory Attack
+
+## Introduction
+
+This application is generating keys in VM's memory.
+
+It will use the same code to run into Non-TDX VMs and TDX VMs, and perform memory attacks on them to verify the confidentiality of TDX VM memory.
+
+![](key_generator.svg)
+
+## Application Deployment
+
+1. Start Non-TDX or TDX VM (QEMU-KVM).
+
+2. Run app into VM.
+
+    ```
+    python3 -u ./key_generator.py
+    ```
+
+## Hacker Memory Attack
+
+1. Dump VM's memory via gdb:
+    ```
+    rm -rf core.*
+    gdb -ex "generate-core-file" -ex "set confirm off" -ex "quit" -p `pgrep -f qemu-kvm`
+    ```
+
+2. Parse and find key from dumped file:
+    ```
+    strings ./core.* | grep -n uuid
+    ```
+
+    Corresponding output:
+
+    - Non-TDX VM
+        ```
+        16152:{'uuid35139113': '3hf!tj9da9wbwy18', 'uuid16913511': 'ukb2tvdq@etii0@7', 'uuid06450037': 'vi#9qnxvr*rwbq61', 'uuid39123227': '%an$ggjd13jrf3p1', 'uuid42881267': 'g%wtfce&4h6&u$h6'}
+        ```
+    - TDX VM
+
+        None output.