skip to main content
10.1145/2810103.2813637acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

Published: 12 October 2015 Publication History

Abstract

Since vulnerabilities in Linux kernel are on the increase, attackers have turned their interests into related exploitation techniques. However, compared with numerous researches on exploiting use-after-free vulnerabilities in the user applications, few efforts studied how to exploit use-after-free vulnerabilities in Linux kernel due to the difficulties that mainly come from the uncertainty of the kernel memory layout. Without specific information leakage, attackers could only conduct a blind memory overwriting strategy trying to corrupt the critical part of the kernel, for which the success rate is negligible.
In this work, we present a novel memory collision strategy to exploit the use-after-free vulnerabilities in Linux kernel reliably. The insight of our exploit strategy is that a probabilistic memory collision can be constructed according to the widely deployed kernel memory reuse mechanisms, which significantly increases the success rate of the attack. Based on this insight, we present two practical memory collision attacks: An object-based attack that leverages the memory recycling mechanism of the kernel allocator to achieve freed vulnerable object covering, and a physmap-based attack that takes advantage of the overlap between the physmap and the SLAB caches to achieve a more flexible memory manipulation. Our proposed attacks are universal for various Linux kernels of different architectures and could successfully exploit systems with use-after-free vulnerabilities in kernel. Particularly, we achieve privilege escalation on various popular Android devices (kernel version>=4.3) including those with 64-bit processors by exploiting the CVE-2015-3636 use-after-free vulnerability in Linux kernel. To our knowledge, this is the first generic kernel exploit for the latest version of Android. Finally, to defend this kind of memory collision, we propose two corresponding mitigation schemes.

References

[1]
Attacking the Core: Kernel Exploiting Notes. http://phrack.org/issues/64/6.html.
[2]
CVE-2010--1807. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010--1807.
[3]
CVE-2014--1776. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1776.
[4]
CVE-2015--3636. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015--3636.
[5]
Exploiting 64-bit Linux like a boss. http://scarybeastsecurity.blogspot.com/2013/02/exploiting-64-bit-linux-%like-boss.html.
[6]
Exploiting NVMAP to escape the Chrome sandbox-CVE-2014--5332. http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escap%e-chrome.html.
[7]
GCC stack protector support. http://lxr.free-electrons.com/source/arch/x86/include/asm/stackprotecto%r.h.
[8]
Google Chromium source. https://chromium.googlesource.com/chromium/blink/
[9]
/master/Source/wtf/PartitionAlloc.h.
[10]
Microsoft Internet Explorer: CVE security vulnerabilities, versions and detailed reports.
[11]
Short users guide for SLUB. https://www.kernel.org/doc/Documentation/vm/slub.txt.
[12]
Understanding Valgrind memory leak reports. http://es.gnu.org/~aleksander/valgrind/valgrind-memcheck.pdf.
[13]
J. Afek and A. Sharabani. Dangling Pointer: Smashing the Pointer for Fun and Profit. Black Hat USA, 2007.
[14]
P. Akritidis. Cling: A Memory Allocator to Mitigate Dangling Pointers. In Proc. 19th USENIX Security Symposium, 2010.
[15]
A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking blind. In Proc. 35th IEEE Symposium on Security and Privacy, 2014.
[16]
L. Chen. WebKit Everywhere: Secure Or Not? Black Hat Europe, 2014.
[17]
P. A. C. Karamitas. Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap. Black Hat USA, 2012.
[18]
V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. ret2dir: Rethinking Kernel Isolation. In Proc. 23rd USENIX Security Symposium, 2014.
[19]
C. Lameter. Slab allocators in the Linux Kernel: SLAB, SLOB, SLUB. LinuxCon, 2014.
[20]
B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing Use-after-free with Dangling Pointers Nullification. In Proc. 2015 Annual Network and Distributed System Security Symposium, 2015.
[21]
J. Lu. New Exploit Mitigation In Internet Explorer. HITCON, 2014.
[22]
MWR Lab. Isolated Heap & Friends - Object Allocation Hardening in Web Browsers. https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends-%--object-allocation-hardening-in-web-browsers/.
[23]
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. CETS: Compiler Enforced Temporal Safety for C. ACM Sigplan Notices, 2010.
[24]
G. Novark and E. D. Berger. DieHarder: Securing the Heap. In Proc. 17th ACM conference on Computer and communications security, 2010.
[25]
W. Robert. Exploiting Concurrency Vulnerabilities in System Call Wrappers. In Proc. 1st USENIX Workshop on Offensive Technologies, 2007.
[26]
A. Rubini and J. Corbet. Linux device drivers. O'Reilly Media, Inc., 2001.
[27]
K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Address Sanitizer: A Fast Address Sanity Checker. In Proc. 2012 USENIX Annual Technical Conference, 2012.
[28]
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proc. 11th ACM conference on Computer and communications security, 2004.
[29]
A. Sotirov. Heap feng shui in Javascript. Black Hat Europe, 2007.
[30]
L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal War in Memory. In Proc. 34th IEEE Symposium on Security and Privacy, 2013.
[31]
TrendLabs. Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits. http://blog.trendmicro.com/trendlabs-security-intelligence/isolated-hea%p-for-internet-explorer-helps-mitigate-uaf-exploits/.
[32]
G. Wicherski. Exploiting A Coalmine. Hackito Ergo Sum, 2012.
[33]
T. Yan. The Art of Leaks: The Return of Heap Feng Shui. CanSecWest, 2014.
[34]
Y. Younan. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. 2015.
[35]
Y. Younan, W. Joosen, and F. Piessens. Runtime Countermeasures for Code Injection Attacks against C and C+ programs. ACM Computing Surveys, 2012.

Cited By

View all
  • (2024)Defects-in-depthProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699153(4517-4534)Online publication date: 14-Aug-2024
  • (2024)Detecting kernel memory bugs through inconsistent memory management intention inferencesProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699128(4069-4086)Online publication date: 14-Aug-2024
  • (2024)SLUBStickProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699127(4051-4068)Online publication date: 14-Aug-2024
  • Show More Cited By

Index Terms

  1. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
    October 2015
    1750 pages
    ISBN:9781450338325
    DOI:10.1145/2810103
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 12 October 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. linux kernel exploit
    2. memory collision
    3. user-after-free vulnerability

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    CCS'15
    Sponsor:

    Acceptance Rates

    CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)103
    • Downloads (Last 6 weeks)8
    Reflects downloads up to 11 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Defects-in-depthProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699153(4517-4534)Online publication date: 14-Aug-2024
    • (2024)Detecting kernel memory bugs through inconsistent memory management intention inferencesProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699128(4069-4086)Online publication date: 14-Aug-2024
    • (2024)SLUBStickProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699127(4051-4068)Online publication date: 14-Aug-2024
    • (2024)The influence of job satisfaction on retention of primary healthcare professionals in Tamil NaduInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02511:2(238-247)Online publication date: Feb-2024
    • (2024)rOOM: A Rust-Based Linux Out of Memory Kernel ComponentIEICE Transactions on Information and Systems10.1587/transinf.2023MPP0001E107.D:3(245-256)Online publication date: 1-Mar-2024
    • (2024)KernJC: Automated Vulnerable Environment Generation for Linux Kernel VulnerabilitiesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678891(384-402)Online publication date: 30-Sep-2024
    • (2024)CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux KernelProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690320(1315-1329)Online publication date: 2-Dec-2024
    • (2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
    • (2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
    • (2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media