Projekte pro Jahr
Abstract
While the number of vulnerabilities in the Linux kernel has increased significantly in recent years, most have limited capabilities, such as corrupting a few bytes in restricted allocator caches. To elevate their capabilities, security researchers have proposed software cross-cache attacks, exploiting the memory reuse of the kernel allocator. However, such cross-cache attacks are impractical due to their low success rate of only 40 %, with failure scenarios often resulting in a system crash.
In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 % for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily. We demonstrate the applicability of SLUBStick by systematically analyzing two Linux kernel versions, v5.19 and v6.2. Lastly, we evaluate SLUBStick with a synthetic vulnerability and 9 real-world CVEs, showcasing privilege escalation and container escape in the Linux kernel with state-of-the-art kernel defenses enabled.
In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 % for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily. We demonstrate the applicability of SLUBStick by systematically analyzing two Linux kernel versions, v5.19 and v6.2. Lastly, we evaluate SLUBStick with a synthetic vulnerability and 9 real-world CVEs, showcasing privilege escalation and container escape in the Linux kernel with state-of-the-art kernel defenses enabled.
Originalsprache | englisch |
---|---|
Titel | Usenix Security Symposium 2024 |
Erscheinungsort | Philadelphia, PA |
Herausgeber (Verlag) | USENIX Association |
Seiten | 4051-4068 |
ISBN (elektronisch) | 978-1-939133-44-1 |
Publikationsstatus | Veröffentlicht - Aug. 2024 |
Veranstaltung | 33rd USENIX Security Symposium: USENIX Security 2024 - Philadelphia Marriott Downtown, Philadelphia, USA / Vereinigte Staaten Dauer: 14 Aug. 2024 → 16 Aug. 2024 https://www.usenix.org/conference/usenixsecurity24 |
Konferenz
Konferenz | 33rd USENIX Security Symposium: USENIX Security 2024 |
---|---|
Kurztitel | USENIX |
Land/Gebiet | USA / Vereinigte Staaten |
Ort | Philadelphia |
Zeitraum | 14/08/24 → 16/08/24 |
Internetadresse |
Fingerprint
Untersuchen Sie die Forschungsthemen von „SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel“. Zusammen bilden sie einen einzigartigen Fingerprint.Projekte
- 2 Laufend
-
-
SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen
1/01/22 → 31/12/24
Projekt: Forschungsprojekt