FromCollisionToExploitation:UnleashingUse-After-Free

VulnerabilitiesinLinuxKernelWenXu,Juanru Li,Junliang Shu,Wenbo Yang,

Tianyi Xie,Yuanyuan Zhang,Dawu GuGroupofSoftwareSecurityInProgressLabofCryptologyandComputerSecurity

ShanghaiJiaoTongUniversity

CCS2015 1GoSSIP@LoCCSShanghaiJiaoTongUniversity

Introduction

• Linuxkernelbecomesawelcomedtarget– Acompletecontrolofthesystem– Lessprotectionandmitigationschemes

• Exploitingkernelbugsisnon-trivial– Fewdocumentedtechniques– Unpredictablememorylayout

• Ourgoalistofindagenericwaytoexploitinguse-after-freebugsinLinuxkernel.

CCS2015 2

Use-after-freeinLinuxkernel

CCS2015 3

• Option2istofree anobjectwithoutcleaningthepointer– obj[index]isso-called“adanglingpointer”sinceitpointstoafreedspace

• Option3istouse anobjectwithoutcheckingwhetherthepointerisvalid– Here“use”representsinvokingafunctionpointerbeingstoredintheobject

Exploitinguse-after-freebugs

• Ourgoaltoisre-occupythevulnerablefreedobjectwithcontrollable data.– Thefree memoryistobereused,whichprovidesanopportunityforattackerstore-controlthefreedspace.

– Controllabledatacontributestounintendedcontrol-flowhijackingordatacorruptioninlaterusing.

CCS2015 4

Challenges• Stability:The“hole”shouldbere-occupiedbyour

candidates.– Hundredsofscheduledtasksallaffectkernelallocators.

• Separation:The“hole”shouldbere-occupiedbypropercandidates.– Differenttypesofkernelobjectscannotbestoredinthesame

memoryregionduetoSLAB/SLUB.• Data-control:The“hole”shouldbefilledwithmeaningful

content.– Thecontentofkernelobjectsareusuallynotfullycontrolledby

users.• Universality:Onestrategyregardlessoftypesofvulnerable

objects.

CCS2015 5

Insight:MemoryCollision

• Kernelrecyclesfreememoryforfutureuse.–Memorylimitation– Performancerequirement– Reductionoftheentropyofmemorylayout

• Memorycollisionattackstrategy– Tousepropercandidatesandletthembechosenbythekerneltooccupytherecentlyfreedspace• Infact,tocollidewiththefreed“hole”

– Probabilisticmodelwithhighsuccessrate

CCS2015 6

Overview

• Object-basedmemorycollisionattack– Candidate:kernelbuffersallocatedbykernelallocators

• Physmap-basedmemorycollisionattack– Candidate:physmap– Generic,stableandreliable

CCS2015 7

Overview

CCS2015 8

Object-basedAttack

• Intuitivestrategy– Tousekernelobjectsoverwritingkernelobjects

• KernelobjectsarestoredinvariouskindsofSLABcaches.– Differentcachesarefordifferentobjectswhichimpliesanaturalseparation.

– HowtoinsertanobjectoftypeAintothecachesstoringvulnerableobjectsoftypeB?

CCS2015 9

Object-basedAttack

CCS2015 10

Object-basedAttack#1CollisionsbetweenObjectsoftheSameSize

• Savior:NewlyadoptedSLUBallocators– Putobjectsofthesamesizeintoonecacheforperformancepromotion.

• Candidate:kmalloc()buffers– Usedbykerneltostoretemporarydatacommonly– Easytocreatebyusers:sendmmsg()• Controllablesize:Lengthofcontrolmessage• Controllablecontent:Dataofcontrolmessage• Allpassedfromuserspace

CCS2015 11

Object-basedAttack#1CollisionsbetweenObjectsoftheSameSize

CCS2015 12

• Noticethatthelengthofthemessagebuffershouldbethesameasthesizeofthevulnerableobject(512).

• Limitation:– kmalloc()allocatesspaceofaroundedsize like32,48,64,128,256,512,1024…

– Whatifthevulnerableobjecthasasizeof576?• 512<576<1024

Object-basedAttack#2CollisionsbetweenObjectsofDifferentSizes

• Ifalltheobjectsinacachearefreed,thewholespaceofthecacheisgoingtoberecycledbythekernel.– Isthespacedefinitely tobere-usedforacachestoringtheobjectsoftheoriginaltype?No.

– Kernelnevercaresaboutthehistoryoffreememory.Memoryisjustmemory.

– Chancesarethatthespaceisgoingtobeusedforanewcachestoringobjectsofadifferenttype.

CCS2015 13

Object-basedAttack#2CollisionsbetweenObjectsofDifferentSizes

• Theattackcoderemainstobethesame.– Nocareaboutthesizeofourmessagebuffer– Pickakmalloc()sizeyouprefer

• Discussions– Theoretically,collisionsalwayshappeneventually.– Practically,suchakindofblindstrategysuffersalowsuccessrate.

– Usuallyduetotheresourcelimitation,oneusercannotowntoomanykmalloc()buffersinthekernel.

CCS2015 14

Physmap-basedAttack

• Getridofrestrictionsprovidedbythekernelallocators.– Again,memoryisjustmemory.Thekernelneverclaimsthatthememoryonceforkernelobjectsisalwaysforkernelobjects.

–Wechooseacandidateknownasphysmap toachieveagenericandstableattackagainstuse-after-freevulnerabilitiesinLinuxkernel.

CCS2015 15

Physmap-basedAttack

CCS2015 16

Physmap, thedirect-mappedmemory,ismemoryinthekernelspacewhichwoulddirectlymapthememoryintheuserspaceintothekernelspace.

Physmap-basedAttack

• AnEXCELLENTchoice– Easycreation:iterativelymmap()intheuserspace– Data-control:fullycontrolledbyattackersforsure– Largesize:

• Physmap filledwithourcraftedpayloadgrowsinthekernelbyoccupyingfreekernelspace.

CCS2015 17Table[1]fromret2dir:RethinkingKernelIsolation(USENIX14’)

Physmap-basedAttack

CCS2015 18

• Anintuitivestrategyistocreatealargeamountofvulnerableobjectsandfreeallofthem,thendothekernelsprayingbyphysmapandhopethecollisionhappens.

• Amorereliableapproach?

Physmap-basedAttack• Wesprayvulnerableobjectsingroups,foreachgroup:– ConsideringNobjectsasvulnerableones,wewilllatertriggertheUAFvulnerabilityonthem.

– ConsideringM(M>>N)objectsaspaddingones,wewilljustreleasetheminanormalway.

• Result:• (1)Largepiecesoffreedmemoryiswaitingforphysmap withpayloadtooccupy.

• (2)Wehavevulnerablefreedobjectsscatteralloverthekernelspace.

• Thesesharplyincreasethereliabilityofsuchaprobabilisticattack.

CCS2015 19

Physmap-basedAttack

CCS2015 20

• Inpractical,wediscoverthatuserscangetcertaindatainsidemanykernelobjectsbyspecificsyscalls.

• Thatcouldhelptoinformattackersthatthecollisionshavealreadyhappenedandthesprayingshouldbestopped.– Further increasethereliability

SecurityEffectiveness• Physmap-basedattacktotallyavoidstheseparation

providedbythekernelallocatorsandachievesoverwriting.• Physmap originatesfrommmap()areainuserspace,thusit

isfullyunderthecontrolofattackers.• Physmap iseffectiveregardlessofwhattypeandsizeofthe

vulnerableobjectwhichhasause-after-freevulnerability.• Certainsprayingtricksandpotentialapproachestoleaking

informationhelpstoincreasetheprobabilitythatmemorycollisionshappen.

• Physmap-basedattackleveragestheinherentworkingmechanismofthekernel,whichcannotbemitigatedeasily.

CCS2015 21

Evaluation

CCS2015 22

• Hereistheperformanceofalltheseattackstargetingonthecustomvulnerablekernelmodule.

• Infact,theattackperformsworseon64bitLinuxplatform.Andalsobothphysmap-basedattackandobject-basedattack#1haveahighsuccessrate.

Evaluation

CCS2015 23

• WeachieveareliableuniversalrootsolutionondiverseAndroiddevicesbyleverageCVE-2015-3636,atypicaluse-after-freevulnerabilitiesinLinuxkernelcreditedtotheauthorbasedonphysmap-basedattack.

• Thatimpliesourattackisappliedbothonx86/x86_64andARMarchitectures.

Conclusion

• Weproposeanoval attacktechniquestounleashuse-after-freevulnerabilitiesinLinuxkernelwhichfeaturesreliabilityanduniversality.

• Countermeasures– Toimposerestrictionsonavailablememoryresourcesofaparticularuser.

– Tomakeisolationsamongmemoryofdifferentusages.

CCS2015 24

Thankyou!Q&A

CCS2015 25GoSSIP@LoCCSShanghaiJiaoTongUniversity