Abstract
The Linux kernel Berkeley Packet Filter (BPF) and its Just-In-Time (JIT) compiler are actively used in various pieces of networking equipment where filtering speed is especially important. In 2012, the Linux BPF/JIT compiler was shown to be vulnerable to a JIT spray attack; fixes were quickly merged into the Linux kernel in order to stop the attack. In this paper we show two modifications of the original attack which still succeed on a modern 4.4 Linux kernel, and demonstrate that JIT spray is still a major problem for the Linux BPF/JIT compiler. This work helped to make the case for further and proper countermeasures to the attack, which have then been merged into the 4.7 Linux kernel.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
References
A detailed description of the Data Execution Prevention (DEP) feature (2016). support.microsoft.com/en-us/kb/875352
Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual (2016). www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
SECure COMPuting with filters (2016). www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
Athanasakis, M., et al.: The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines. In: NDSS (2015)
Bania, P.: JIT spraying and mitigations. arXiv preprint (2010). arXiv:1009.1038
Blazakis, D.: Interpreter Exploitation: Pointer Inference and JIT Spraying (2016). www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf
Borkmann, D.: On getting tc classifier fully programmable with cls_bpf (2016). www.netdevconf.org/1.1/proceedings/papers/On-getting-tc-classifier-fully-programmable-with-cls-bpf.pdf
Chen, P., Fang, Y., Mao, B., Xie, L.: JITDefender: a defense against JIT spraying attacks. In: IFIP, pp. 142–153 (2011)
Cook, C.: Status of the Kernel Self Protection Project (2016). outflux.net/slides/2016/lss/kspp.pdf
Corbet, J.: A JIT for packet filters (2012). lwn.net/Articles/437981
Corbet, J.: The kernel connection multiplexer (2015). lwn.net/Articles/657999/
Edge, J.: “Strong” stack protection for GCC (2014). lwn.net/Articles/584225/
Gorman, M.: Understanding the Linux virtual memory manager (2004)
Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: CCS, pp. 993–1004 (2013)
Jang, Y., Lee, S., Ki, T.: Breaking Kernel Address Space Layout Randomization with Intel TSX. In: CCS, pp. 380–392 (2016)
Jangda, A., Mishra, M., Baudry, B.: libmask: protecting browser JIT engines from the devil in the constants. In: PST (2016)
McAllister, K.: Attacking hardened Linux systems with kernel JIT spraying (2012). mainisusuallyafunction.blogspot.de/2012/11/attacking-hardened-linux-systems-with.html
McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user-level packet capture. In: USENIX Winter, vol. 46 (1993)
Mogul, J.: Efficient use of workstations for passive monitoring of local area networks, vol. 20. ACM (1990)
Mogul, J., Rashid, R., Accetta, M.: The packer filter: an efficient mechanism for user-level network code, vol. 21. ACM (1987)
Schulist, J., et al.: Linux Socket Filtering aka Berkeley Packet Filter (BPF) (2016). www.kernel.org/doc/Documentation/networking/filter.txt
Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and Protecting Dynamic Code Generation. In: NDSS (2015)
Starovoitov, A.: Tracing: attach eBPF programs to kprobes (2015). lwn.net/Articles/636976/
PaX Team: PaX address space layout randomization (ASLR) (2003)
Acknowledgments
The authors would like to thank Daniel Borkmann for his helpful discussions about BPF/JIT, and his readiness and enthusiasms to make it more secure.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Reshetova, E., Bonazzi, F., Asokan, N. (2017). Randomization Can’t Stop BPF JIT Spray. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)