FromCollisionToExploitation:UnleashingUse-After-Free
VulnerabilitiesinLinuxKernelWenXu,Juanru Li,Junliang Shu,Wenbo Yang,
Tianyi Xie,Yuanyuan Zhang,Dawu GuGroupofSoftwareSecurityInProgressLabofCryptologyandComputerSecurity
ShanghaiJiaoTongUniversity
CCS2015 1GoSSIP@LoCCSShanghaiJiaoTongUniversity
Introduction
• Linuxkernelbecomesawelcomedtarget– Acompletecontrolofthesystem– Lessprotectionandmitigationschemes
• Exploitingkernelbugsisnon-trivial– Fewdocumentedtechniques– Unpredictablememorylayout
• Ourgoalistofindagenericwaytoexploitinguse-after-freebugsinLinuxkernel.
CCS2015 2
Use-after-freeinLinuxkernel
CCS2015 3
• Option2istofree anobjectwithoutcleaningthepointer– obj[index]isso-called“adanglingpointer”sinceitpointstoafreedspace
• Option3istouse anobjectwithoutcheckingwhetherthepointerisvalid– Here“use”representsinvokingafunctionpointerbeingstoredintheobject
Exploitinguse-after-freebugs
• Ourgoaltoisre-occupythevulnerablefreedobjectwithcontrollable data.– Thefree memoryistobereused,whichprovidesanopportunityforattackerstore-controlthefreedspace.
– Controllabledatacontributestounintendedcontrol-flowhijackingordatacorruptioninlaterusing.
CCS2015 4
Challenges• Stability:The“hole”shouldbere-occupiedbyour
candidates.– Hundredsofscheduledtasksallaffectkernelallocators.
• Separation:The“hole”shouldbere-occupiedbypropercandidates.– Differenttypesofkernelobjectscannotbestoredinthesame
memoryregionduetoSLAB/SLUB.• Data-control:The“hole”shouldbefilledwithmeaningful
content.– Thecontentofkernelobjectsareusuallynotfullycontrolledby
users.• Universality:Onestrategyregardlessoftypesofvulnerable
objects.
CCS2015 5
Insight:MemoryCollision
• Kernelrecyclesfreememoryforfutureuse.–Memorylimitation– Performancerequirement– Reductionoftheentropyofmemorylayout
• Memorycollisionattackstrategy– Tousepropercandidatesandletthembechosenbythekerneltooccupytherecentlyfreedspace• Infact,tocollidewiththefreed“hole”
– Probabilisticmodelwithhighsuccessrate
CCS2015 6
Overview
• Object-basedmemorycollisionattack– Candidate:kernelbuffersallocatedbykernelallocators
• Physmap-basedmemorycollisionattack– Candidate:physmap– Generic,stableandreliable
CCS2015 7
Overview
CCS2015 8
Object-basedAttack
• Intuitivestrategy– Tousekernelobjectsoverwritingkernelobjects
• KernelobjectsarestoredinvariouskindsofSLABcaches.– Differentcachesarefordifferentobjectswhichimpliesanaturalseparation.
– HowtoinsertanobjectoftypeAintothecachesstoringvulnerableobjectsoftypeB?
CCS2015 9
Object-basedAttack
CCS2015 10
Object-basedAttack#1CollisionsbetweenObjectsoftheSameSize
• Savior:NewlyadoptedSLUBallocators– Putobjectsofthesamesizeintoonecacheforperformancepromotion.
• Candidate:kmalloc()buffers– Usedbykerneltostoretemporarydatacommonly– Easytocreatebyusers:sendmmsg()• Controllablesize:Lengthofcontrolmessage• Controllablecontent:Dataofcontrolmessage• Allpassedfromuserspace
CCS2015 11
Object-basedAttack#1CollisionsbetweenObjectsoftheSameSize
CCS2015 12
• Noticethatthelengthofthemessagebuffershouldbethesameasthesizeofthevulnerableobject(512).
• Limitation:– kmalloc()allocatesspaceofaroundedsize like32,48,64,128,256,512,1024…
– Whatifthevulnerableobjecthasasizeof576?• 512<576<1024
Object-basedAttack#2CollisionsbetweenObjectsofDifferentSizes
• Ifalltheobjectsinacachearefreed,thewholespaceofthecacheisgoingtoberecycledbythekernel.– Isthespacedefinitely tobere-usedforacachestoringtheobjectsoftheoriginaltype?No.
– Kernelnevercaresaboutthehistoryoffreememory.Memoryisjustmemory.
– Chancesarethatthespaceisgoingtobeusedforanewcachestoringobjectsofadifferenttype.
CCS2015 13
Object-basedAttack#2CollisionsbetweenObjectsofDifferentSizes
• Theattackcoderemainstobethesame.– Nocareaboutthesizeofourmessagebuffer– Pickakmalloc()sizeyouprefer
• Discussions– Theoretically,collisionsalwayshappeneventually.– Practically,suchakindofblindstrategysuffersalowsuccessrate.
– Usuallyduetotheresourcelimitation,oneusercannotowntoomanykmalloc()buffersinthekernel.
CCS2015 14
Physmap-basedAttack
• Getridofrestrictionsprovidedbythekernelallocators.– Again,memoryisjustmemory.Thekernelneverclaimsthatthememoryonceforkernelobjectsisalwaysforkernelobjects.
–Wechooseacandidateknownasphysmap toachieveagenericandstableattackagainstuse-after-freevulnerabilitiesinLinuxkernel.
CCS2015 15
Physmap-basedAttack
CCS2015 16
Physmap, thedirect-mappedmemory,ismemoryinthekernelspacewhichwoulddirectlymapthememoryintheuserspaceintothekernelspace.
Physmap-basedAttack
• AnEXCELLENTchoice– Easycreation:iterativelymmap()intheuserspace– Data-control:fullycontrolledbyattackersforsure– Largesize:
• Physmap filledwithourcraftedpayloadgrowsinthekernelbyoccupyingfreekernelspace.
CCS2015 17Table[1]fromret2dir:RethinkingKernelIsolation(USENIX14’)
Physmap-basedAttack
CCS2015 18
• Anintuitivestrategyistocreatealargeamountofvulnerableobjectsandfreeallofthem,thendothekernelsprayingbyphysmapandhopethecollisionhappens.
• Amorereliableapproach?
Physmap-basedAttack• Wesprayvulnerableobjectsingroups,foreachgroup:– ConsideringNobjectsasvulnerableones,wewilllatertriggertheUAFvulnerabilityonthem.
– ConsideringM(M>>N)objectsaspaddingones,wewilljustreleasetheminanormalway.
• Result:• (1)Largepiecesoffreedmemoryiswaitingforphysmap withpayloadtooccupy.
• (2)Wehavevulnerablefreedobjectsscatteralloverthekernelspace.
• Thesesharplyincreasethereliabilityofsuchaprobabilisticattack.
CCS2015 19
Physmap-basedAttack
CCS2015 20
• Inpractical,wediscoverthatuserscangetcertaindatainsidemanykernelobjectsbyspecificsyscalls.
• Thatcouldhelptoinformattackersthatthecollisionshavealreadyhappenedandthesprayingshouldbestopped.– Further increasethereliability
SecurityEffectiveness• Physmap-basedattacktotallyavoidstheseparation
providedbythekernelallocatorsandachievesoverwriting.• Physmap originatesfrommmap()areainuserspace,thusit
isfullyunderthecontrolofattackers.• Physmap iseffectiveregardlessofwhattypeandsizeofthe
vulnerableobjectwhichhasause-after-freevulnerability.• Certainsprayingtricksandpotentialapproachestoleaking
informationhelpstoincreasetheprobabilitythatmemorycollisionshappen.
• Physmap-basedattackleveragestheinherentworkingmechanismofthekernel,whichcannotbemitigatedeasily.
CCS2015 21
Evaluation
CCS2015 22
• Hereistheperformanceofalltheseattackstargetingonthecustomvulnerablekernelmodule.
• Infact,theattackperformsworseon64bitLinuxplatform.Andalsobothphysmap-basedattackandobject-basedattack#1haveahighsuccessrate.
Evaluation
CCS2015 23
• WeachieveareliableuniversalrootsolutionondiverseAndroiddevicesbyleverageCVE-2015-3636,atypicaluse-after-freevulnerabilitiesinLinuxkernelcreditedtotheauthorbasedonphysmap-basedattack.
• Thatimpliesourattackisappliedbothonx86/x86_64andARMarchitectures.
Conclusion
• Weproposeanoval attacktechniquestounleashuse-after-freevulnerabilitiesinLinuxkernelwhichfeaturesreliabilityanduniversality.
• Countermeasures– Toimposerestrictionsonavailablememoryresourcesofaparticularuser.
– Tomakeisolationsamongmemoryofdifferentusages.
CCS2015 24
Thankyou!Q&A
CCS2015 25GoSSIP@LoCCSShanghaiJiaoTongUniversity