Quark researchers hacked into Google’s upcoming operating system, Fuchsia OS, and were able to gain kernel code execution from a regular userland process.
Not much is known about Google’s upcoming mysterious Fuchsia operating system other than it will be used to power devices with AArch64 and x86_64 architecture. The Fuchsia operating system is open-source and was first noticed accidentally in 2016. In contrast to prior Google-developed operating systems such as Chrome OS and Android, which are based on the Linux kernel, Fuchsia is based on a new kernel called Zircon.
Though Google has not revealed much about Fuchsia OS, it is thought that Google will push through Fuchsia os to smartphones and tablets in the near future. In fact, in not so distant future, you may be using a Fuchsia OS powered smartphone or tablet. Since it is open-source, the researchers from Quarks Lab decided to test it for security loopholes and what they found was astounding even to them.
The Fuchsia OS is powered by a custom kernel called Zircon developed by Google itself. Zircon is written in C++ and Rust. What is unique to Zircon custom kernel is that all device drivers will run in “user mode” or “userland”, meaning they’re not given fully elevated privileges. In plain English, all driver processes in Fuchsia will first be handled by Zircon before using the computer or device resources. Google has adapted this process as it reduces the attack surface.
However, Quark researchers were able to gain kernel code execution from the userland process. This means despite the fact that userland doesn’t allow users to access elevated privileges, Quark researchers were able to exploit it to gain the same.
“Contrary to every other major OS, it appears rather difficult to target the Zircon kernel directly. A successful RCE (Remote Code Execution) on the world-facing parts of the system (USB, Bluetooth, network stack, etc) will only give you control over the targeted components, but they run in independent userland processes, not in the kernel. From a component, you then need to escalate privileges to the kernel using the limited number of syscalls you can access with the handles you have” Quark researchers note in their blog post.
The researchers found that they could access the embedded hypervisor for AArch64 and x86_64 using a bug in vmcall. The researchers say that the hypervisor is perhaps used to help users run Android and Chrome OS Apps on Fuchsia OS. Once they were able to send a vmcall instruction as the hypervisor did not verify where the call came from, they found it could be used in privilege escalations from the guest userland to the guest kernel.
“There, an attacker has more hypervisor interfaces available, and from there a VM escape vulnerability can be researched and leverage” the researchers note.
The researchers also found another loophole in the way Fuchsia kernel uses the structure located at FakeTlsAddr thinking it is a trusted x86_percpu structure from the kernel whereas it is actually a structure possibly controlled by userland. “By placing a specific value in the gpf_return_target field of this fake structure, userland can begin to gain code execution in kernel mode.”
The researchers note that these two vulnerabilities and the small bugs in Fuchsia OS can easily be fixed and it is perhaps one of the most difficult operating systems for hackers to attack. ” Despite this, they concluded, it has the potential to “significantly increase the difficulty for attackers to compromise devices.”
If you are interested in Google’s Fuchsia operating system you can access it here.