SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel

Lukas Maar; Stefan Gast; Martin Unterguggenberger; Mathias Oberhuber; Stefan Mangard

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel

Institute of Information Security (7050)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

While the number of vulnerabilities in the Linux kernel has increased significantly in recent years, most have limited capabilities, such as corrupting a few bytes in restricted allocator caches. To elevate their capabilities, security researchers have proposed software cross-cache attacks, exploiting the memory reuse of the kernel allocator. However, such cross-cache attacks are impractical due to their low success rate of only 40 %, with failure scenarios often resulting in a system crash.

In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 % for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily. We demonstrate the applicability of SLUBStick by systematically analyzing two Linux kernel versions, v5.19 and v6.2. Lastly, we evaluate SLUBStick with a synthetic vulnerability and 9 real-world CVEs, showcasing privilege escalation and container escape in the Linux kernel with state-of-the-art kernel defenses enabled.

Originalsprache	englisch
Titel	Proceedings of the 33rd USENIX Security Symposium
Erscheinungsort	Philadelphia, PA
Herausgeber (Verlag)	USENIX Association
Seiten	4051-4068
Seitenumfang	18
ISBN (elektronisch)	978-1-939133-44-1
Publikationsstatus	Veröffentlicht - Aug. 2024
Veranstaltung	33rd USENIX Security Symposium: USENIX Security 2024 - Philadelphia Marriott Downtown, Philadelphia, USA / Vereinigte Staaten Dauer: 14 Aug. 2024 → 16 Aug. 2024 https://www.usenix.org/conference/usenixsecurity24

Publikationsreihe

Name	Proceedings of the 33rd USENIX Security Symposium

Konferenz

Konferenz	33rd USENIX Security Symposium: USENIX Security 2024
Kurztitel	USENIX
Land/Gebiet	USA / Vereinigte Staaten
Ort	Philadelphia
Zeitraum	14/08/24 → 16/08/24
Internetadresse	https://www.usenix.org/conference/usenixsecurity24

ASJC Scopus subject areas

Information systems
Sicherheit, Risiko, Zuverlässigkeit und Qualität
Computernetzwerke und -kommunikation

Zugriff auf Dokument

mainAkzeptiertes Autorenmanuskript, 344 KB

https://www.usenix.org/conference/usenixsecurity24/presentation/maar-slubstickLizenz: Nicht definiert

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

1 Laufend
2 Abgeschlossen

Spezialforschungsbereich (SFB) F85 Semantische und kryptographische Grundlagen von Sicherheit und Datenschutz durch Compositional Design
Mangard, S. (Projektleiter an der OE)
1/01/23 → 31/12/26
Projekt: Forschungsprojekt
AWARE - Hardware-gewährleistete Softwaresicherheit
Mangard, S. (Konsortialführer/in bzw. Koordinator/in bei Kooperationen mit externen Organisationen) & Mangard, S. (Projektleiter an der OE)
1/05/22 → 30/04/25
Projekt: Forschungsprojekt
SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen
Mangard, S. (Konsortialführer/in bzw. Koordinator/in bei Kooperationen mit externen Organisationen) & Mangard, S. (Projektleiter an der OE)
1/01/22 → 31/12/24
Projekt: Forschungsprojekt

Dieses zitieren

Maar, L., Gast, S., Unterguggenberger, M., Oberhuber, M., & Mangard, S. (2024). SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel. in Proceedings of the 33rd USENIX Security Symposium (S. 4051-4068). (Proceedings of the 33rd USENIX Security Symposium). USENIX Association. https://www.usenix.org/conference/usenixsecurity24/presentation/maar-slubstick

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel. / Maar, Lukas ; Gast, Stefan ; Unterguggenberger, Martin et al.
Proceedings of the 33rd USENIX Security Symposium. Philadelphia, PA: USENIX Association, 2024. S. 4051-4068 (Proceedings of the 33rd USENIX Security Symposium).

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Maar, L , Gast, S , Unterguggenberger, M , Oberhuber, M & Mangard, S 2024, SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel. in Proceedings of the 33rd USENIX Security Symposium. Proceedings of the 33rd USENIX Security Symposium, USENIX Association, Philadelphia, PA, S. 4051-4068, 33rd USENIX Security Symposium: USENIX Security 2024, Philadelphia, Pennsylvania, USA / Vereinigte Staaten, 14/08/24. <https://www.usenix.org/conference/usenixsecurity24/presentation/maar-slubstick>

@inproceedings{dd69fd5a39cc4393bcdf7e433c76bd67,

title = "SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel",

abstract = "While the number of vulnerabilities in the Linux kernel has increased significantly in recent years, most have limited capabilities, such as corrupting a few bytes in restricted allocator caches. To elevate their capabilities, security researchers have proposed software cross-cache attacks, exploiting the memory reuse of the kernel allocator. However, such cross-cache attacks are impractical due to their low success rate of only 40 \%, with failure scenarios often resulting in a system crash. In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 \% for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily. We demonstrate the applicability of SLUBStick by systematically analyzing two Linux kernel versions, v5.19 and v6.2. Lastly, we evaluate SLUBStick with a synthetic vulnerability and 9 real-world CVEs, showcasing privilege escalation and container escape in the Linux kernel with state-of-the-art kernel defenses enabled.",

author = "Lukas Maar and Stefan Gast and Martin Unterguggenberger and Mathias Oberhuber and Stefan Mangard",

year = "2024",

month = aug,

language = "English",

series = "Proceedings of the 33rd USENIX Security Symposium",

publisher = "USENIX Association",

pages = "4051--4068",

booktitle = "Proceedings of the 33rd USENIX Security Symposium",

address = "United States",

note = "33rd USENIX Security Symposium: USENIX Security 2024, USENIX ; Conference date: 14-08-2024 Through 16-08-2024",

url = "https://www.usenix.org/conference/usenixsecurity24",

}

TY - GEN

T1 - SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel

AU - Maar, Lukas

AU - Gast, Stefan

AU - Unterguggenberger, Martin

AU - Oberhuber, Mathias

AU - Mangard, Stefan

PY - 2024/8

Y1 - 2024/8

N2 - While the number of vulnerabilities in the Linux kernel has increased significantly in recent years, most have limited capabilities, such as corrupting a few bytes in restricted allocator caches. To elevate their capabilities, security researchers have proposed software cross-cache attacks, exploiting the memory reuse of the kernel allocator. However, such cross-cache attacks are impractical due to their low success rate of only 40 %, with failure scenarios often resulting in a system crash. In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 % for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily. We demonstrate the applicability of SLUBStick by systematically analyzing two Linux kernel versions, v5.19 and v6.2. Lastly, we evaluate SLUBStick with a synthetic vulnerability and 9 real-world CVEs, showcasing privilege escalation and container escape in the Linux kernel with state-of-the-art kernel defenses enabled.

AB - While the number of vulnerabilities in the Linux kernel has increased significantly in recent years, most have limited capabilities, such as corrupting a few bytes in restricted allocator caches. To elevate their capabilities, security researchers have proposed software cross-cache attacks, exploiting the memory reuse of the kernel allocator. However, such cross-cache attacks are impractical due to their low success rate of only 40 %, with failure scenarios often resulting in a system crash. In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 % for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily. We demonstrate the applicability of SLUBStick by systematically analyzing two Linux kernel versions, v5.19 and v6.2. Lastly, we evaluate SLUBStick with a synthetic vulnerability and 9 real-world CVEs, showcasing privilege escalation and container escape in the Linux kernel with state-of-the-art kernel defenses enabled.

UR - https://www.scopus.com/pages/publications/85199287643

M3 - Conference paper

T3 - Proceedings of the 33rd USENIX Security Symposium

SP - 4051

EP - 4068

BT - Proceedings of the 33rd USENIX Security Symposium

PB - USENIX Association

CY - Philadelphia, PA

T2 - 33rd USENIX Security Symposium: USENIX Security 2024

Y2 - 14 August 2024 through 16 August 2024

ER -

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel

Abstract

Publikationsreihe

Konferenz

ASJC Scopus subject areas

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Projekte

Spezialforschungsbereich (SFB) F85 Semantische und kryptographische Grundlagen von Sicherheit und Datenschutz durch Compositional Design

AWARE - Hardware-gewährleistete Softwaresicherheit

SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen

Dieses zitieren