From Collision To Exploitation: Unleashing Use-After-Free...
Transcript of From Collision To Exploitation: Unleashing Use-After-Free...
![Page 1: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/1.jpg)
FromCollisionToExploitation:UnleashingUse-After-Free
VulnerabilitiesinLinuxKernelWenXu,Juanru Li,Junliang Shu,Wenbo Yang,
Tianyi Xie,Yuanyuan Zhang,Dawu GuGroupofSoftwareSecurityInProgressLabofCryptologyandComputerSecurity
ShanghaiJiaoTongUniversity
CCS2015 1GoSSIP@LoCCSShanghaiJiaoTongUniversity
![Page 2: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/2.jpg)
Introduction
• Linuxkernelbecomesawelcomedtarget– Acompletecontrolofthesystem– Lessprotectionandmitigationschemes
• Exploitingkernelbugsisnon-trivial– Fewdocumentedtechniques– Unpredictablememorylayout
• Ourgoalistofindagenericwaytoexploitinguse-after-freebugsinLinuxkernel.
CCS2015 2
![Page 3: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/3.jpg)
Use-after-freeinLinuxkernel
CCS2015 3
• Option2istofree anobjectwithoutcleaningthepointer– obj[index]isso-called“adanglingpointer”sinceitpointstoafreedspace
• Option3istouse anobjectwithoutcheckingwhetherthepointerisvalid– Here“use”representsinvokingafunctionpointerbeingstoredintheobject
![Page 4: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/4.jpg)
Exploitinguse-after-freebugs
• Ourgoaltoisre-occupythevulnerablefreedobjectwithcontrollable data.– Thefree memoryistobereused,whichprovidesanopportunityforattackerstore-controlthefreedspace.
– Controllabledatacontributestounintendedcontrol-flowhijackingordatacorruptioninlaterusing.
CCS2015 4
![Page 5: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/5.jpg)
Challenges• Stability:The“hole”shouldbere-occupiedbyour
candidates.– Hundredsofscheduledtasksallaffectkernelallocators.
• Separation:The“hole”shouldbere-occupiedbypropercandidates.– Differenttypesofkernelobjectscannotbestoredinthesame
memoryregionduetoSLAB/SLUB.• Data-control:The“hole”shouldbefilledwithmeaningful
content.– Thecontentofkernelobjectsareusuallynotfullycontrolledby
users.• Universality:Onestrategyregardlessoftypesofvulnerable
objects.
CCS2015 5
![Page 6: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/6.jpg)
Insight:MemoryCollision
• Kernelrecyclesfreememoryforfutureuse.–Memorylimitation– Performancerequirement– Reductionoftheentropyofmemorylayout
• Memorycollisionattackstrategy– Tousepropercandidatesandletthembechosenbythekerneltooccupytherecentlyfreedspace• Infact,tocollidewiththefreed“hole”
– Probabilisticmodelwithhighsuccessrate
CCS2015 6
![Page 7: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/7.jpg)
Overview
• Object-basedmemorycollisionattack– Candidate:kernelbuffersallocatedbykernelallocators
• Physmap-basedmemorycollisionattack– Candidate:physmap– Generic,stableandreliable
CCS2015 7
![Page 8: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/8.jpg)
Overview
CCS2015 8
![Page 9: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/9.jpg)
Object-basedAttack
• Intuitivestrategy– Tousekernelobjectsoverwritingkernelobjects
• KernelobjectsarestoredinvariouskindsofSLABcaches.– Differentcachesarefordifferentobjectswhichimpliesanaturalseparation.
– HowtoinsertanobjectoftypeAintothecachesstoringvulnerableobjectsoftypeB?
CCS2015 9
![Page 10: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/10.jpg)
Object-basedAttack
CCS2015 10
![Page 11: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/11.jpg)
Object-basedAttack#1CollisionsbetweenObjectsoftheSameSize
• Savior:NewlyadoptedSLUBallocators– Putobjectsofthesamesizeintoonecacheforperformancepromotion.
• Candidate:kmalloc()buffers– Usedbykerneltostoretemporarydatacommonly– Easytocreatebyusers:sendmmsg()• Controllablesize:Lengthofcontrolmessage• Controllablecontent:Dataofcontrolmessage• Allpassedfromuserspace
CCS2015 11
![Page 12: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/12.jpg)
Object-basedAttack#1CollisionsbetweenObjectsoftheSameSize
CCS2015 12
• Noticethatthelengthofthemessagebuffershouldbethesameasthesizeofthevulnerableobject(512).
• Limitation:– kmalloc()allocatesspaceofaroundedsize like32,48,64,128,256,512,1024…
– Whatifthevulnerableobjecthasasizeof576?• 512<576<1024
![Page 13: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/13.jpg)
Object-basedAttack#2CollisionsbetweenObjectsofDifferentSizes
• Ifalltheobjectsinacachearefreed,thewholespaceofthecacheisgoingtoberecycledbythekernel.– Isthespacedefinitely tobere-usedforacachestoringtheobjectsoftheoriginaltype?No.
– Kernelnevercaresaboutthehistoryoffreememory.Memoryisjustmemory.
– Chancesarethatthespaceisgoingtobeusedforanewcachestoringobjectsofadifferenttype.
CCS2015 13
![Page 14: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/14.jpg)
Object-basedAttack#2CollisionsbetweenObjectsofDifferentSizes
• Theattackcoderemainstobethesame.– Nocareaboutthesizeofourmessagebuffer– Pickakmalloc()sizeyouprefer
• Discussions– Theoretically,collisionsalwayshappeneventually.– Practically,suchakindofblindstrategysuffersalowsuccessrate.
– Usuallyduetotheresourcelimitation,oneusercannotowntoomanykmalloc()buffersinthekernel.
CCS2015 14
![Page 15: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/15.jpg)
Physmap-basedAttack
• Getridofrestrictionsprovidedbythekernelallocators.– Again,memoryisjustmemory.Thekernelneverclaimsthatthememoryonceforkernelobjectsisalwaysforkernelobjects.
–Wechooseacandidateknownasphysmap toachieveagenericandstableattackagainstuse-after-freevulnerabilitiesinLinuxkernel.
CCS2015 15
![Page 16: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/16.jpg)
Physmap-basedAttack
CCS2015 16
Physmap, thedirect-mappedmemory,ismemoryinthekernelspacewhichwoulddirectlymapthememoryintheuserspaceintothekernelspace.
![Page 17: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/17.jpg)
Physmap-basedAttack
• AnEXCELLENTchoice– Easycreation:iterativelymmap()intheuserspace– Data-control:fullycontrolledbyattackersforsure– Largesize:
• Physmap filledwithourcraftedpayloadgrowsinthekernelbyoccupyingfreekernelspace.
CCS2015 17Table[1]fromret2dir:RethinkingKernelIsolation(USENIX14’)
![Page 18: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/18.jpg)
Physmap-basedAttack
CCS2015 18
• Anintuitivestrategyistocreatealargeamountofvulnerableobjectsandfreeallofthem,thendothekernelsprayingbyphysmapandhopethecollisionhappens.
• Amorereliableapproach?
![Page 19: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/19.jpg)
Physmap-basedAttack• Wesprayvulnerableobjectsingroups,foreachgroup:– ConsideringNobjectsasvulnerableones,wewilllatertriggertheUAFvulnerabilityonthem.
– ConsideringM(M>>N)objectsaspaddingones,wewilljustreleasetheminanormalway.
• Result:• (1)Largepiecesoffreedmemoryiswaitingforphysmap withpayloadtooccupy.
• (2)Wehavevulnerablefreedobjectsscatteralloverthekernelspace.
• Thesesharplyincreasethereliabilityofsuchaprobabilisticattack.
CCS2015 19
![Page 20: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/20.jpg)
Physmap-basedAttack
CCS2015 20
• Inpractical,wediscoverthatuserscangetcertaindatainsidemanykernelobjectsbyspecificsyscalls.
• Thatcouldhelptoinformattackersthatthecollisionshavealreadyhappenedandthesprayingshouldbestopped.– Further increasethereliability
![Page 21: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/21.jpg)
SecurityEffectiveness• Physmap-basedattacktotallyavoidstheseparation
providedbythekernelallocatorsandachievesoverwriting.• Physmap originatesfrommmap()areainuserspace,thusit
isfullyunderthecontrolofattackers.• Physmap iseffectiveregardlessofwhattypeandsizeofthe
vulnerableobjectwhichhasause-after-freevulnerability.• Certainsprayingtricksandpotentialapproachestoleaking
informationhelpstoincreasetheprobabilitythatmemorycollisionshappen.
• Physmap-basedattackleveragestheinherentworkingmechanismofthekernel,whichcannotbemitigatedeasily.
CCS2015 21
![Page 22: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/22.jpg)
Evaluation
CCS2015 22
• Hereistheperformanceofalltheseattackstargetingonthecustomvulnerablekernelmodule.
• Infact,theattackperformsworseon64bitLinuxplatform.Andalsobothphysmap-basedattackandobject-basedattack#1haveahighsuccessrate.
![Page 23: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/23.jpg)
Evaluation
CCS2015 23
• WeachieveareliableuniversalrootsolutionondiverseAndroiddevicesbyleverageCVE-2015-3636,atypicaluse-after-freevulnerabilitiesinLinuxkernelcreditedtotheauthorbasedonphysmap-basedattack.
• Thatimpliesourattackisappliedbothonx86/x86_64andARMarchitectures.
![Page 24: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/24.jpg)
Conclusion
• Weproposeanoval attacktechniquestounleashuse-after-freevulnerabilitiesinLinuxkernelwhichfeaturesreliabilityanduniversality.
• Countermeasures– Toimposerestrictionsonavailablememoryresourcesofaparticularuser.
– Tomakeisolationsamongmemoryofdifferentusages.
CCS2015 24
![Page 25: From Collision To Exploitation: Unleashing Use-After-Free ...wen/assets/papers/xu:collision-slides.pdf · From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities](https://reader035.fdocuments.us/reader035/viewer/2022081406/5f0d2eac7e708231d439138f/html5/thumbnails/25.jpg)
Thankyou!Q&A
CCS2015 25GoSSIP@LoCCSShanghaiJiaoTongUniversity