A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator

Similar documents
From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

Operating Systems. 11. Memory Management Part 3 Kernel Memory Allocation. Paul Krzyzanowski Rutgers University Spring 2015

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Kernel Memory Management

Memory Corruption 101 From Primitives to Exploit

Linux Kernel Futex Fun: Exploiting CVE Dougall Johnson

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Advanced Programming & C++ Language

Heap Management portion of the store lives indefinitely until the program explicitly deletes it C++ and Java new Such objects are stored on a heap

The Art and Science of Memory Allocation

How safe is your link? Old school exploitation vs new mitigations

FILE SYSTEM IMPLEMENTATION. Sunu Wibirama

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

In Java we have the keyword null, which is the value of an uninitialized reference type

Lecture 1: Buffer Overflows

Exploiting USB/IP in Linux

Heapple Pie. The macos/ios default heap. Date 14/09/2018. At Sthack 2018 By Eloi Benoist-Vanderbeken

Singly linked lists in C.

Buffer overflow background

Optimizing Dynamic Memory Management

Project 4: Implementing Malloc Introduction & Problem statement

Dynamic Memory Management

Secure Coding Techniques

Buffer overflow prevention, and other attacks

Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.

Segmentation. Multiple Segments. Lecture Notes Week 6

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

10.1. CS356 Unit 10. Memory Allocation & Heap Management

Limitations of the stack

CS61C : Machine Structures

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

CPSC 421 Database Management Systems. Lecture 11: Storage and File Organization

A program execution is memory safe so long as memory access errors never occur:

Dynamic Memory Allocation. Zhaoguo Wang

Review! Lecture 5 C Memory Management !

CS61C : Machine Structures

CSE 509: Computer Security

My malloc: mylloc and mhysa. Johan Montelius HT2016

! What is main memory? ! What is static and dynamic allocation? ! What is segmentation? Maria Hybinette, UGA. High Address (0x7fffffff) !

Lecture 4 September Required reading materials for this class

Last Class: Deadlocks. Where we are in the course

WINDOWS 10 RS2/RS3 GDI DATA-ONLY EXPLOITATION TALES

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

A new Mono GC. Paolo Molaro October 25, 2006

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Recitation #12 Malloc Lab - Part 2. November 14th, 2017

Assignment 5. CS/ECE 354 Spring 2016 DUE: April 22nd (Friday) at 9 am

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Program Security and Vulnerabilities Class 2

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Recitation #11 Malloc Lab. November 7th, 2017

CS 318 Principles of Operating Systems

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Exploiting a Coalmine Abusing Complex Bugs in Webkit's RenderArena

Bypassing Browser Memory Protections

DieHarder: Securing the Heap

Toolbox Kernel Korner

KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. WANG, YONG a.k.a. Pandora Lab of Ali Security

Dynamic Memory Management! Goals of this Lecture!

Digital Forensics Lecture 02 PDF Structure

The Art and Science of Memory Alloca4on

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel. Di Shen a.k.a. Retme Keen Lab of Tencent

Lab 1: Dynamic Memory: Heap Manager

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Operating Systems. File Systems. Thomas Ropars.

THREADS: (abstract CPUs)

Secure Software Programming and Vulnerability Analysis

memory management Vaibhav Bajpai

First order of Business

Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013

ios Kernel Heap Armageddon

Attacking the XNU Kernel in El Capitan. Luca Todesco BlackHat EU 2015

Section Notes - Week 1 (9/17)

Lecture Notes on Memory Layout

CSE506: Operating Systems CSE 506: Operating Systems

Linux Security Summit Europe 2018

CS201: Lab #4 Writing a Dynamic Storage Allocator

2/9/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Agenda. Dynamic Memory Interface. Dynamic Memory Interface

DHCP is hard. Felix Wilhelm HITB Dubai 2018

CS 105 Malloc Lab: Writing a Dynamic Storage Allocator See Web page for due date

CSE506: Operating Systems CSE 506: Operating Systems

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS 161 Computer Security

Chapter 11: Storage and File Structure. Silberschatz, Korth and Sudarshan Updated by Bird and Tanin

Dynamic Memory Allocation

PROCESS VIRTUAL MEMORY. CS124 Operating Systems Winter , Lecture 18

CS 318 Principles of Operating Systems

Chapter 3 - Memory Management

File Systems: Allocation Issues, Naming, and Performance CS 111. Operating Systems Peter Reiher

Intrusion Detection and Malware Analysis

OPERATING SYSTEM. Chapter 9: Virtual Memory

CA341 - Comparative Programming Languages

Shared snapshots. 1 Abstract. 2 Introduction. Mikulas Patocka Red Hat Czech, s.r.o. Purkynova , Brno Czech Republic

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

A.Arpaci-Dusseau. Mapping from logical address space to physical address space. CS 537:Operating Systems lecture12.fm.2

Transcription:

A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator Dan Rosenberg 1

Who am I? Security consultant and vulnerability researcher at VSR in Boston App/net pentesting, code review, etc. Published some bugs Focus on Linux kernel Bad habit of rooting Android phones Research on kernel exploitation and mitigation 2

Agenda What is SLOB? How does SLOB work? Evaluating exploitability SLOB exploitation techniques Demo Conclusion 3

Intro to SLOB 4

What is SLOB? Linux kernel supports three heap allocators: SLAB, SLUB, and SLOB Service dynamic allocations for kernel Implement kmalloc() and kfree() interfaces Sits on top of page frame allocator 5

Where is SLOB Used? Primarily embedded systems (low memory footprint) Embedded Gentoo OpenEmbedded OpenWrt Commercial embedded devices Mobile? Not yet, maybe soon 6

Why is SLOB Interesting? Different allocation behavior and metadata from SLAB/SLUB No existing work on SLOB Who doesn't like crushing weak heaps? 7

Where Can I Use These Techniques? CVE-2009-1046: off-by-two heap overflow CVE-2010-2959: integer overflow leading to heap overflow in Controller Area Network (CAN) CVE-2010-3874: heap overflow on 64-bit platforms in Controller Area Network (CAN) Not exploitable on any allocator but SLOB :-) CVE-2011-0699: heap overflow in btrfs CVE-2012-0038: heap overflow in XFS 8

How Does SLOB Work? Three singly-linked lists of partially-full pages Less than 256 bytes Less than 1024 bytes Less than 4096 bytes Multiple sizes within same page slob_page struct Metadata at base of actual SLOB page Free units Pointer to first free chunk within page Linked list of free pages 9

Blocks Pages are broken into blocks (chunks) Size measured in SLOB_UNITS (2 bytes) Initially, each page is one big block Fragmented as necessary 10

SLOB Partially-Free Page Lists 11

Metadata Allocated blocks have 4-byte size header Free blocks have packed header If first two bytes are positive: First two bytes are size Second two bytes are index (in SLOB_UNITs) from base of page to next free block If first two bytes are negative: First two bytes are negative index to next free block Total size (including header) is assumed to be two SLOB_UNITs 12

Metadata Example 13

Allocation Choose appropriate linked list for size Walk list until page reporting enough room Not guaranteed, could be non-contiguous If no sufficiently free pages, allocate new page 14

Allocation Attempt allocation of size + 4 bytes (room for header) Walk free chunks checking sizes If exact fit, unlink If too big, fragment and unlink On failure, continue to next page Insert size metadata, return chunk Rotate linked list of pages Most recently used page is checked first 15

Freeing Freelist maintains address order Find freelist head for chunk (apply page mask to chunk address) Walk freelist until insertion point (address order) Adjust freelist metadata Prev->next => Chunk Chunk->size => size Chunk->next => Next 16

Evaluating Exploitability 17

Exploitability Criteria What makes a heap exploitable? Criteria would be useful in evaluating heaps besides SLOB Can compare different heap implementations 18

Allocation behavior To what degree can attackers predict and control locality of allocations and frees? 19

Allocation Behavior in SLOB No randomness in allocations Once a fresh page is allocated, all allocations are guaranteed to be consecutive within page Objects are freed predictably Inserted into list in address order 20

Object Co-Residency Do multiple types of objects exist in the same memory region? 21

Object Co-Residency in SLOB Unlike SLAB/SLUB, all objects share same cache Size is only factor in determining where to allocate Unlike SLUB, no per-cpu caches 22

Object Metadata Do free or allocated objects contain inline metadata that can be exploited? 23

Object Metadata in SLOB SLAB/SLUB have minimal inline metadata (next free pointer), but SLOB has: Allocated chunk size field Free chunk size field Free chunk list index field 24

Exploitation Mitigation Are any hardening measures in place to deter exploitation of heap vulnerabilities? 25

Exploitation Mitigation in SLOB 26

Heap Comparison SLOB SLUB Windows 8 Allocation Behavior Object Co- Residency Object Metadata Exploitation Mitigation Exploit Difficulty Easy Moderate Difficult 27

Pre-Exploitation 28

Goals of Pre-Exploitation Cause heap to be in state conducive to exploitation Requires knowledge of allocation behavior Usually requires knowledge of specific allocation primitives Can trigger allocation and/or freeing of objects of specific sizes 29

Pre-Exploitation on SLOB In classic heap overflow, goal is usually adjacent blocks In SLOB, once fresh page is used, allocations will be contiguous (for the short term) Basic approach: Find allocation primitive for appropriate list size Trigger enough allocations to cause fresh page Trigger allocations and frees to cause vulnerable object to be placed appropriately 30

How Much Should I Allocate? No /proc/slabinfo on SLOB Have to make a reasonable guess Depends on system uptime and load No real penalty for allocating too much Experimentally, a few hundred allocations is plenty 31

Pre-Exploitation on SLOB Rotation of partially-free page list is helpful Can fill partially free pages with larger objects Subsequent smaller allocations will be in fresh page, even though they might have fit in other partially full pages 32

Exploitation 33

Assumptions We have some heap overflow vulnerability Can write data past the end of a heap chunk into the next chunk Degree of control over length and contents will vary Can find appropriate allocation primitives Structures with function pointers, etc. 34

Arbitrary Overflow Full control over size of overflow and contents 35

Object Data Overwrite Fill partial pages and cause allocation of fresh page We'll assume this from now on... Position target chunk after vulnerable chunk Trigger overflow Trigger function pointer call/write to pointer 36

Object Data Overflow Cleanup Unlike SLUB/SLAB, allocated chunks have 4-byte size header Need to restore to avoid unwanted corruption If new size is less than old size, do nothing No freelist corruption, shrinking causes no harm Otherwise, cleanup after gaining control If function pointer call, base of chunk is almost guaranteed to be in a register 37

Off-by-Small Overflow Some control over contents of three to four byte overflow 38

Free Pointer Overwrite Overview Modification of technique by sgrakkyu and twiz Basic approach: corrupt freelist to trigger chunk reuse If we can trigger allocation of a useful target block on top of data we control (or vice versa) we can win Need to corrupt next free pointer in adjacent free block Remember: it's a two-byte index, not a pointer 39

Free Pointer Overwrite #1 Do the pre-exploitation dance Fill fresh page with target chunks Trigger overflow into free chunk, overwriting 3-4 bytes (size and one or two bytes of next free pointer) Trigger allocation of controlled chunk on top of some target block Win 40

Free Pointer Overwrite #1 slob_page fptrs fptrs vuln target (free) (free) slob_page fptrs fptrs overflow target (free) (free) slob_page fptrs fptrs overflow (alloc) (free) (free) slob_page fptrs fptrs overflow (alloc) (free) (free) 41

Free Pointer Overwrite Cleanup Freelist has been corrupted Subsequent allocations may panic the kernel Easiest option is to terminate the freelist early (thanks Nico) so corrupted free chunks never get traversed Chunk is considered final when its next-free index returns a next chunk that is page aligned Overwrite a free chunk's next pointer with NULL or any multiple of 0x800 to terminate the list 42

Off-by-Smaller Overflow Some control over contents of one to two byte overflow 43

Free Pointer Overwrite #2 Same as other free pointer overwrite, except: Take advantage of special case Negative value in first two bytes of free chunk is interpreted as negative index, not size Allows exploitation of controlled off-by-two overflow (need both bytes to overwrite with negative two-byte value) Remember to clean up the freelist 44

Off-by-One Overflow Some control over contents of one byte overflow 45

Chunk Growth Attack Overwrite size field on adjacent free or allocated chunk to grow that chunk Shrinking does nothing useful no freelist corruption, so just causes wastage of memory If overflow into allocated block, cause that block to be freed Trigger allocation of chunk with size equal to grown size with data you control Second portion of this chunk will overlap with target chunk, allowing exploitation 46

Chunk Growth Attack slob_page (alloc) vuln target fptrs (free) slob_page (alloc) overflow target fptrs (free) slob_page (alloc) overflow target fptrs (free) 47

Off-by-One NULL Byte Overflow Well, this sucks. 48

What Are Our Options? Allocated chunk size header NULL byte means we can only shrink, not useful Free chunk size header Same as above What was that special case again? 49

Special Case If first two bytes are negative: Size is assumed to be one SLOB_UNIT (2 bytes) First two bytes are negative index to next free block Great, overwriting LSB of free index could be a win Trigger allocation on top of existing chunk All we need to do is cause a 2-byte block to be allocated! But... 50

:-( mm/slob.c: void * kmalloc_node(size_t size, gfp_t gfp, int node) {... int align = max(arch_kmalloc_minalign, ARCH_SLAB_MINALIGN);... m = slob_alloc(size + align, gfp, align, node);... } include/linux/slab.h: #define ARCH_SLAB_MINALIGN alignof (unsigned long long) 51

What Does This Mean? The only piece of metadata we can possibly exploit can't exist in any chunks we can allocate :-( Is all hope lost? Hint: no. Remember how SLOB works: chunks of varying sizes exist in the same cache 52

Fragmentation to the Rescue! Same old pre-exploitation phase, fill new page with targets Trigger allocation and freeing of block four bytes larger than size of vulnerable block Trigger allocation of vulnerable block SLOB will fragment previous block into vulnerable block and four-byte special chunk Trigger overflow, continue as if free pointer overwrite 53

Fragmentation Attack: Phase 1 slob_page (alloc) (free) slob_page (alloc) dummy (alloc) (free) fptrs fptrs slob_page (alloc) (free) (alloc) (free) fptrs fptrs slob_page (alloc) vuln (alloc) (free) fptrs fptrs 54

Fragmentation Attack: Phase 2 slob_page (alloc) vuln (alloc) (free) fptrs fptrs slob_page (alloc) overflow (alloc) (free) fptrs fptrs slob_page (alloc) overflow (alloc) (free) fptrs fptrs 55

Demo 56

Setting up a Test Environment Wrote LKM playground Creates device file Can trigger heap primitives via ioctl Allocate, free, overflow, function pointer call, etc. Develop techniques with theoretical primitives Replace with real examples later 57

Chunk Growth Attack Demo 58

Conclusion SLOB's design allows easy exploitation SLOB has virtually no hardening Basic freelist validation would be simple Next chunk is after current chunk Next chunk is before end of page See KERNHEAP for ideas 59

Future Work Harden the SLOB allocator? I'm not going to do this Automated finding of heap primitives I don't know anything about static analysis Need to trace code paths, enumerate all heap activity, and determine which chunks remain allocated persistently Jon Oberheide's kstructhunter is a start 60

Thanks To... twiz Tarjei Mandt Nico Waisman 61

Questions? E-mail: drosenberg@vsecurity.com Twitter: @djrbliss Company: http://www.vsecurity.com Personal: http://www.vulnfactory.org 62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback