research-article

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

Authors:

Yuanyuan Zhang,

Dawu GuAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 414 - 425

https://doi.org/10.1145/2810103.2813637

Published: 12 October 2015 Publication History

Abstract

Since vulnerabilities in Linux kernel are on the increase, attackers have turned their interests into related exploitation techniques. However, compared with numerous researches on exploiting use-after-free vulnerabilities in the user applications, few efforts studied how to exploit use-after-free vulnerabilities in Linux kernel due to the difficulties that mainly come from the uncertainty of the kernel memory layout. Without specific information leakage, attackers could only conduct a blind memory overwriting strategy trying to corrupt the critical part of the kernel, for which the success rate is negligible.

In this work, we present a novel memory collision strategy to exploit the use-after-free vulnerabilities in Linux kernel reliably. The insight of our exploit strategy is that a probabilistic memory collision can be constructed according to the widely deployed kernel memory reuse mechanisms, which significantly increases the success rate of the attack. Based on this insight, we present two practical memory collision attacks: An object-based attack that leverages the memory recycling mechanism of the kernel allocator to achieve freed vulnerable object covering, and a physmap-based attack that takes advantage of the overlap between the physmap and the SLAB caches to achieve a more flexible memory manipulation. Our proposed attacks are universal for various Linux kernels of different architectures and could successfully exploit systems with use-after-free vulnerabilities in kernel. Particularly, we achieve privilege escalation on various popular Android devices (kernel version>=4.3) including those with 64-bit processors by exploiting the CVE-2015-3636 use-after-free vulnerability in Linux kernel. To our knowledge, this is the first generic kernel exploit for the latest version of Android. Finally, to defend this kind of memory collision, we propose two corresponding mitigation schemes.

References

[1]

Attacking the Core: Kernel Exploiting Notes. http://phrack.org/issues/64/6.html.

[2]

CVE-2010--1807. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010--1807.

[3]

CVE-2014--1776. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1776.

[4]

CVE-2015--3636. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015--3636.

[5]

Exploiting 64-bit Linux like a boss. http://scarybeastsecurity.blogspot.com/2013/02/exploiting-64-bit-linux-%like-boss.html.

[6]

Exploiting NVMAP to escape the Chrome sandbox-CVE-2014--5332. http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escap%e-chrome.html.

[7]

GCC stack protector support. http://lxr.free-electrons.com/source/arch/x86/include/asm/stackprotecto%r.h.

[8]

Google Chromium source. https://chromium.googlesource.com/chromium/blink/

[9]

/master/Source/wtf/PartitionAlloc.h.

[10]

Microsoft Internet Explorer: CVE security vulnerabilities, versions and detailed reports.

[11]

Short users guide for SLUB. https://www.kernel.org/doc/Documentation/vm/slub.txt.

[12]

Understanding Valgrind memory leak reports. http://es.gnu.org/~aleksander/valgrind/valgrind-memcheck.pdf.

[13]

J. Afek and A. Sharabani. Dangling Pointer: Smashing the Pointer for Fun and Profit. Black Hat USA, 2007.

[14]

P. Akritidis. Cling: A Memory Allocator to Mitigate Dangling Pointers. In Proc. 19th USENIX Security Symposium, 2010.

Digital Library

[15]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking blind. In Proc. 35th IEEE Symposium on Security and Privacy, 2014.

Digital Library

[16]

L. Chen. WebKit Everywhere: Secure Or Not? Black Hat Europe, 2014.

[17]

P. A. C. Karamitas. Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap. Black Hat USA, 2012.

[18]

V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. ret2dir: Rethinking Kernel Isolation. In Proc. 23rd USENIX Security Symposium, 2014.

Digital Library

[19]

C. Lameter. Slab allocators in the Linux Kernel: SLAB, SLOB, SLUB. LinuxCon, 2014.

[20]

B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing Use-after-free with Dangling Pointers Nullification. In Proc. 2015 Annual Network and Distributed System Security Symposium, 2015.

[21]

J. Lu. New Exploit Mitigation In Internet Explorer. HITCON, 2014.

[22]

MWR Lab. Isolated Heap & Friends - Object Allocation Hardening in Web Browsers. https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends-%--object-allocation-hardening-in-web-browsers/.

[23]

S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. CETS: Compiler Enforced Temporal Safety for C. ACM Sigplan Notices, 2010.

Digital Library

[24]

G. Novark and E. D. Berger. DieHarder: Securing the Heap. In Proc. 17th ACM conference on Computer and communications security, 2010.

Digital Library

[25]

W. Robert. Exploiting Concurrency Vulnerabilities in System Call Wrappers. In Proc. 1st USENIX Workshop on Offensive Technologies, 2007.

Digital Library

[26]

A. Rubini and J. Corbet. Linux device drivers. O'Reilly Media, Inc., 2001.

[27]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Address Sanitizer: A Fast Address Sanity Checker. In Proc. 2012 USENIX Annual Technical Conference, 2012.

Digital Library

[28]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proc. 11th ACM conference on Computer and communications security, 2004.

Digital Library

[29]

A. Sotirov. Heap feng shui in Javascript. Black Hat Europe, 2007.

[30]

L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal War in Memory. In Proc. 34th IEEE Symposium on Security and Privacy, 2013.

Digital Library

[31]

TrendLabs. Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits. http://blog.trendmicro.com/trendlabs-security-intelligence/isolated-hea%p-for-internet-explorer-helps-mitigate-uaf-exploits/.

[32]

G. Wicherski. Exploiting A Coalmine. Hackito Ergo Sum, 2012.

[33]

T. Yan. The Art of Leaks: The Return of Heap Feng Shui. CanSecWest, 2014.

[34]

Y. Younan. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. 2015.

[35]

Y. Younan, W. Joosen, and F. Piessens. Runtime Countermeasures for Code Injection Attacks against C and C+ programs. ACM Computing Surveys, 2012.

Digital Library

Cited By

Balaji SCharumathi DAhmed MAppu A(2024)The influence of job satisfaction on retention of primary healthcare professionals in Tamil NaduInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02511:2(238-247)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.025
LI LZHANG QXU ZZHAO SSHI ZGUAN Y(2024)rOOM: A Rust-Based Linux Out of Memory Kernel ComponentIEICE Transactions on Information and Systems10.1587/transinf.2023MPP0001E107.D:3(245-256)Online publication date: 1-Mar-2024
https://doi.org/10.1587/transinf.2023MPP0001
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Show More Cited By

Index Terms

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Learning Metasploit Exploitation and Development
Network Attacks and Exploitation: A Framework
Exploitation and threat analysis of open mobile devices
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

The increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Ministry of Industry and Information Technology of the People's Republic of China
Science and Technology Commission of Shanghai Municipality
Ministry of Science and Technology of the People's Republic of China

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
1,334
Total Downloads

Downloads (Last 12 months)107
Downloads (Last 6 weeks)11

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Balaji SCharumathi DAhmed MAppu A(2024)The influence of job satisfaction on retention of primary healthcare professionals in Tamil NaduInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02511:2(238-247)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.025
LI LZHANG QXU ZZHAO SSHI ZGUAN Y(2024)rOOM: A Rust-Based Linux Out of Memory Kernel ComponentIEICE Transactions on Information and Systems10.1587/transinf.2023MPP0001E107.D:3(245-256)Online publication date: 1-Mar-2024
https://doi.org/10.1587/transinf.2023MPP0001
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Liu ZLin ZChen YWu YZou YMu DXing X(2024)Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel BugsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324617021:1(93-109)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3246170
Yuan MZhao BLi PLiang JHan XLuo XZhang CCalandrino JTroncoso C(2023)DDRaceProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620397(2849-2866)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620397
Zhou JCriswell JHicks M(2023)Fat Pointers for Temporal Memory Safety of CProceedings of the ACM on Programming Languages10.1145/35860387:OOPSLA1(316-347)Online publication date: 6-Apr-2023
https://dl.acm.org/doi/10.1145/3586038
Xueshuai Ge XTieming Liu TYaobin Xie YYuanyuan Zhang Y(2023)A survey of automatic exploitation of binary vulnerabilitiesInternational Conference on Computer Network Security and Software Engineering (CNSSE 2023)10.1117/12.2683413(58)Online publication date: 26-Jun-2023
https://doi.org/10.1117/12.2683413
Qian ZZhong SSun GXing XJin Y(2023)A Formal Approach to Design and Security Verification of Operating Systems for Intelligent Transportation Systems Based on Object ModelIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2022.322438524:12(15459-15467)Online publication date: Dec-2023
https://doi.org/10.1109/TITS.2022.3224385
Liu DWang PZhou XXie WZhang GLuo ZYue TWang B(2023)From Release to Rebirth: Exploiting Thanos Objects in Linux KernelIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.322690618(533-548)Online publication date: 2023
https://doi.org/10.1109/TIFS.2022.3226906
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents