exploiting uses of uninitialized stack variables in linux
play

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels - PowerPoint PPT Presentation

Apr 10, 2024 •443 likes •806 views

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun Cho , Jinbum Park, Joonwon Kang, Tiffany Bao Ruoyu Wang, Yan Shoshitaishvili, Adam Doup, Gail-Joon Ahn Uninitialized variables in the stack

  1. Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun Cho , Jinbum Park, Joonwon Kang, Tiffany Bao Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, Gail-Joon Ahn

  2. Uninitialized variables in the stack Kernel Stack SP Base void func () { int num ; int ret ; … } Base – 8n 2

  3. Uninitialized variables in the stack Kernel Stack Base 0x 1111 2222 3333 4444 void func () { SP 0x aaaa bbbb cccc dddd int num ; … … … … int ret ; … } Base – 8n 3

  4. Uninitialized variables in the stack Kernel Stack Base 0x 0000 0000 0000 0000 void func () { 0x 0000 0000 0000 0000 int num = 0 ; 0x 0000 0000 0000 0000 int ret = 0 ; 0x 0000 0000 0000 0000 struct data_struct = {0,} ; … 0x 0000 0000 0000 0000 } 0x dead beef 0000 0000 0x 0000 0000 0000 0000 0x 0000 0000 0000 0000 0x 0000 0000 0000 0000 SP Base – 8n 4

  5. Unexpected information leaks Kernel Stack Base 0x 0000 0000 0000 0000 void func () { 0x 0000 0000 0000 0000 int num = 0 ; 0x 0000 0000 0000 0000 int ret = 0 ; 0x 0000 0000 0000 0000 struct data_struct = {0,} ; … 0x 0000 0000 0000 0000 } 0x dead beef 0000 0000 0x 0000 0000 0000 0000 • If uninitialized data can be copied to 0x 0000 0000 0000 0000 the user-space… 0x 0000 0000 0000 0000 SP Base – 8n 5

  6. Real-world example (CVE-2016-4486) /* file: net/core/rtnetlink.c */ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) { //all fields in the map object are initialized struct rtnl_link_ifmap map = { .mem_start = dev->mem_start, .mem_end = dev->mem_end, .base_addr = dev->base_addr, .irq = dev->irq, .dma = dev->dma, .port = dev->if_port, }; //kernel data leak to the user-space if(nla_put(skb, IFLA_MAP, sizeof(map), &map)) return -EMSGSIZE; return 0; } 6

  7. Real-world example (CVE-2016-4486) /* file: net/core/rtnetlink.c */ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) { //all fields in the map object are initialized struct rtnl_link_ifmap map = { .mem_start = dev->mem_start, .mem_end = dev->mem_end, + 4 padding bytes .base_addr = dev->base_addr, .irq = dev->irq, .dma = dev->dma, .port = dev->if_port, }; //kernel data leak to the user-space if(nla_put(skb, IFLA_MAP, sizeof(map), &map)) return -EMSGSIZE; return 0; } 7

  8. Basic security principle of the OS kernels • Applications are not allowed to Applications access the kernel memory X X Kernel • Restricted Kernel data must not leave the kernel memory 8

  9. Information leaks are not rare In Linux kernel, • Information leak vulnerabilities are the most prevalent type [1] . • Kernel Memory Sanitizer (KMSAN) discovered more than a hundred uninitialized data use bugs [2] . [1] Haogang Chen, Yandong Mao, Xi Wang, Dong Zhou, Nickolai Zeldovich, and M Frans Kaashoek. Linux kernel vulnerabilities: State-of-the-art defenses and open problems. In Proceedings of the 2nd Asia-Pacific Work- shop on Systems (APSys), Shanghai, China, July 2011. [2] KernelMemorySanitizer, a detector of uses of uninitialized memory in the Linux kernel. https://github.com/google/kmsan. [3] Kangjie Lu, Marie-Therese Walter, David Pfaff, Ste- fan Nümberger, Wenke Lee, and Michael Backes. Un- leashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February–March 2017. 9

  10. Information leaks are not rare In Linux kernel, • Information leak vulnerabilities are the most prevalent type [1] . • Kernel Memory Sanitizer (KMSAN) discovered more than a hundred uninitialized data use bugs [2] . However, these vulnerabilities are commonly believed to be of low risks [3] . à not assigned any CVE entries and not patched in some cases [1] Haogang Chen, Yandong Mao, Xi Wang, Dong Zhou, Nickolai Zeldovich, and M Frans Kaashoek. Linux kernel vulnerabilities: State-of-the-art defenses and open problems. In Proceedings of the 2nd Asia-Pacific Work- shop on Systems (APSys), Shanghai, China, July 2011. [2] KernelMemorySanitizer, a detector of uses of uninitialized memory in the Linux kernel. https://github.com/google/kmsan. [3] Kangjie Lu, Marie-Therese Walter, David Pfaff, Ste- fan Nümberger, Wenke Lee, and Michael Backes. Un- leashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February–March 2017. 10

  11. Survey result on information leak CVEs The number of information leak CVEs related to uses of uninitialized data between 2010 and 2019. Total Stack-base Heap-base # of exploits # of CVEs 87 76 11 0 • The majority of these CVES are stack-based information leaks. • 0 public exploit and 0 proof-of-vulnerability (PoV) • Even with a PoV, it is difficult to evaluate the exploitability • Only once CVE (CVE-2017-1000410) mentions that “Potential of leaking kernel pointers and bypassing KASLR” 11

  12. Our Goal • Reveal the actual exploitability and severity of information leak bugs • Converts stack-based information leaks in Linux kernels into vulnerabilities that leak kernel pointer values. • We focus on leaking pointer values that are pointing to (1) kernel functions or (2) the kernel stack. 12

  13. Challenges in Exploitation Kernel Stack • Computing the offset to uninitialized Base 0x ???? ???? ???? ???? data from the kernel stack base. 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x dead beef ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? Base – 8n 13

  14. Challenges in Exploitation Kernel Stack • Computing the offset to uninitialized Base 0x ???? ???? ???? ???? data from the kernel stack base. 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? • Storing kernel pointer values at a leak 0x ???? ???? ???? ???? offset. 0x ???? ???? ???? ???? 0x ffff ff04 ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? Base – 8n 14

  15. Challenges in Exploitation Kernel Stack • Computing the offset to uninitialized Base 0x ???? ???? ???? ???? data from the kernel stack base. 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? • Storing kernel pointer values at a leak 0x ???? ???? ???? ???? offset. 0x ???? ???? ???? ???? 0x ffff ff04 ???? ???? 0x ???? ???? ???? ???? • Handling data leaks that are less than 0x ???? ???? ???? ???? 8 bytes. 0x ???? ???? ???? ???? Base – 8n 15

  16. Our Approach Analysis Exploitability PoVs and exploits 16

  17. Computing the Leak Offset Kernel Stack Stack footprinting Base 0x 0101 0101 0101 0101 1. Fill the kernel stack 0x 0202 0202 0202 0202 0x 0303 0303 0303 0303 0x 0404 0404 0404 0404 0x 0505 0505 0505 0505 0x 0606 0606 0606 0606 0x 0707 0707 0707 0707 0x 0808 0808 0808 0808 0x 0909 0909 0909 0909 0x 0a0a 0a0a 0a0a 0a0a … … … … Base – 8n 17

  18. Computing the Leak Offset Kernel Stack Stack footprinting Base 0x ???? ???? ???? ???? 1. Fill the kernel stack 0x ???? ???? ???? ???? 2. Trigger a vulnerability 0x ???? ???? ???? ???? 0x 0404 0404 ???? ???? 3. Check the footprint 0x ???? ???? ???? ???? 0x 0404 0404 ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? … … … … Base – 8n 18

  19. Computing the Leak Offset Kernel Stack Stack footprinting Base 0x ???? ???? ???? ???? 1. Fill the kernel stack 0x ???? ???? ???? ???? 2. Trigger a vulnerability 0x ???? ???? ???? ???? 0x 0404 0404 ???? ???? 3. Check the footprint 0x ???? ???? ???? ???? 0x 0404 0404 ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 4. Compute the offset 0x ???? ???? ???? ???? à Leak offset = Base - 24 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? … … … … Base – 8n 19

  20. Extensive Syscall Testing with the LTP • Linux Test Project (LTP) provides concrete test cases for system calls. • Three additional steps onto each syscall test case 1. Spraying the kernel stack with a magic value 2. Finding kernel pointer values stored in the stack 3. Recording context information 20

  21. Syscall Testing with the LTP Kernel Stack 1. Fill the kernel stack Base 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 0x 1122 3344 5566 7788 … … … … Base – 8n 21

  22. Syscall Testing with the LTP Kernel Stack 1. Fill the kernel stack Base 0x ???? ???? ???? ???? 2. Execute a syscall using a testcase 0x ???? ???? ???? ???? 3. Inspect the kernel stack 0x ???? ???? ???? ???? Kernel pointer to a kernel function 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? Kernel pointer to the kernel stack 0x ???? ???? ???? ???? 0x ???? ???? ???? ???? … … … … Base – 8n 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees Cook kees.cook@canonical.com www.canonical.com DefCon 19, August 2011 20 Minutes! introduction quick Linux kernel exploitation basics

549 views • 31 slides
Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data Text Lower Addresses Stack and Base Pointers Stack is made up of stack frames Stack frames contain: parameters, local variables, return

604 views • 45 slides
Example The runtime stack Where do variables live? The local variables of a method live def

Example The runtime stack Where do variables live? The local variables of a method live def

CS206 CS206 Example The runtime stack Where do variables live? The local variables of a method live def first(n: Int) { inside the methods activation record (also called stack frame). second(n) second(n * n) (But all objects are on the

42 views • 3 slides
Design and implementation of a DECT stack for Linux Patrick McHardy <kaber@trash.net>

Design and implementation of a DECT stack for Linux Patrick McHardy <kaber@trash.net>

Design and implementation of a DECT stack for Linux Patrick McHardy <kaber@trash.net> Linux Kongress 2010, Nrnberg http://dect.osmocom.org/ About This presentation will present a DECT stack for Linux, containing all components

1.31k views • 94 slides
Introduction to GPUs and to the Linux Graphics Stack Martin Peres CC By-SA 3.0 Nouveau

Introduction to GPUs and to the Linux Graphics Stack Martin Peres CC By-SA 3.0 Nouveau

I - Hardware : Anatomy of a GPU II - Host : The Linux graphics stack Attributions Introduction to GPUs and to the Linux Graphics Stack Martin Peres CC By-SA 3.0 Nouveau developer Ph.D. student at LaBRI November 26, 2012 1 / 36 I -

1.01k views • 36 slides
Native IP Stack For Zephyr OS Zephyr is a trademark of the Linux Foundation. *Other names and

Native IP Stack For Zephyr OS Zephyr is a trademark of the Linux Foundation. *Other names and

Native IP Stack For Zephyr OS Zephyr is a trademark of the Linux Foundation. *Other names and brands may be claimed as the property of others. Why a native IP stack? Features missing in current Contiki based uIP stack No dual IPv6 &

225 views • 11 slides
Memory Management Stack: Data on stack (local variables on activation records) have lifetime that

Memory Management Stack: Data on stack (local variables on activation records) have lifetime that

Overview Memory Management Stack: Data on stack (local variables on activation records) have lifetime that coincides with the life of a procedure call. Memory for stack data is allocated on entry to procedures . . . . . . and de-allocated on

341 views • 8 slides
Bufferbloat mitigation in the Linux WiFi stack status and ongoing work Toke

Bufferbloat mitigation in the Linux WiFi stack status and ongoing work Toke

Bufferbloat mitigation in the Linux WiFi stack status and ongoing work Toke Hiland-Jrgensen LLC 2019 Lund, Sweden, May 2019 1 Outline Background: Bufferbloat mitigation in Linux Fixing bloat in the WiFi stack Airtime

637 views • 29 slides
An Updated Overview of the QEMU Storage Stack Stefan Hajnoczi stefanha@linux.vnet.ibm.com

An Updated Overview of the QEMU Storage Stack Stefan Hajnoczi stefanha@linux.vnet.ibm.com

An Updated Overview of the QEMU Storage Stack Stefan Hajnoczi stefanha@linux.vnet.ibm.com Open Virtualization IBM Linux Technology Center 2011 Linux is a registered trademark of Linus Torvalds. The topic What is the QEMU storage

408 views • 26 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
Latest evolution of Linux IO stack, explained for database people Ilya Kosmodemiansky

Latest evolution of Linux IO stack, explained for database people Ilya Kosmodemiansky

Latest evolution of Linux IO stack, explained for database people Ilya Kosmodemiansky (ik@dataegret.com) Why this talk 2 Linux is a most common OS for databases Fast IO is essential for many workloads DBAs often run into IO problems

875 views • 25 slides
Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer in shared

959 views • 42 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Exploiting On-Chip Memories In Linux Applications Will Newton, Imagination Technologies What's

Exploiting On-Chip Memories In Linux Applications Will Newton, Imagination Technologies What's

Exploiting On-Chip Memories In Linux Applications Will Newton, Imagination Technologies What's wrong with SDRAM? 70 60 50 Cycles 40 30 20 10 0 L1 Cache Hit L1 Cache Miss 64 cycles is optimistic RAM clock often slower than core SoC

226 views • 20 slides
NFC AND THE VEHICLE. TESTING THE LINUX NFC STACK. BMW Car IT GmbH NEARD FIELD COMMUNICATION.

NFC AND THE VEHICLE. TESTING THE LINUX NFC STACK. BMW Car IT GmbH NEARD FIELD COMMUNICATION.

Timo Mller NFC AND THE VEHICLE. TESTING THE LINUX NFC STACK. BMW Car IT GmbH NEARD FIELD COMMUNICATION. WHAT IS IT? Easy connections, quick transactions, and simple data sharing. NFC-Forum.org Fast connection setup Contactless

252 views • 21 slides
A deeper look into GPUs and the Linux Graphics Stack Martin Peres CC By-SA 3.0 Nouveau

A deeper look into GPUs and the Linux Graphics Stack Martin Peres CC By-SA 3.0 Nouveau

I - GPU & Hardware II - Host: summary DRM Mesa X11 and the XServer Wayland Attributions A deeper look into GPUs and the Linux Graphics Stack Martin Peres CC By-SA 3.0 Nouveau developer Ph.D. student at LaBRI November 26, 2012 1 /

881 views • 75 slides
Lecture 15: Second-Order IIR Filters Mark Hasegawa-Johnson ECE 401: Signal and Image Analysis,

Lecture 15: Second-Order IIR Filters Mark Hasegawa-Johnson ECE 401: Signal and Image Analysis,

Review Second-Order Resonator Damped Bandwidth Speech Summary Lecture 15: Second-Order IIR Filters Mark Hasegawa-Johnson ECE 401: Signal and Image Analysis, Fall 2020 Review Second-Order Resonator Damped Bandwidth Speech Summary

579 views • 54 slides
Leveraging Indie Films in SoCal Focus on growing local partnerships Connect Indie Films

Leveraging Indie Films in SoCal Focus on growing local partnerships Connect Indie Films

Leveraging Indie Films in SoCal Focus on growing local partnerships Connect Indie Films to current station initiatives Provide unique engagement opportunities Position the station for securing additional funding Expand

220 views • 6 slides
Verified Cruise Control on RC Vehicle Shashank Ojha and Yufei Wang 1/17 Objective Implement a

Verified Cruise Control on RC Vehicle Shashank Ojha and Yufei Wang 1/17 Objective Implement a

Verified Cruise Control on RC Vehicle Shashank Ojha and Yufei Wang 1/17 Objective Implement a verified model (static POV system) on real hardware Fill the gap between theory & practice 2/17 Motivation Cruise Control system is

209 views • 17 slides
Do You See What I See? Effects of POV on Spatial Relation Specifications Nikhil Krishnaswamy and

Do You See What I See? Effects of POV on Spatial Relation Specifications Nikhil Krishnaswamy and

Introduction Framework VoxSim Experimentation References Do You See What I See? Effects of POV on Spatial Relation Specifications Nikhil Krishnaswamy and James Pustejovsky Brandeis University 30th International Workshop on Qualitative

658 views • 51 slides
Good evening, thank you for joining us! We will begin shortly. Centering the Experience of

Good evening, thank you for joining us! We will begin shortly. Centering the Experience of

Good evening, thank you for joining us! We will begin shortly. Centering the Experience of Black, Native, and Students of Color Through A Racial Equity Design Process Welcome! Housekeeping This meeting will be Please mute your Have a

734 views • 25 slides
Designing and Evaluating MPI-2 Dynamic Process Management Support for InfiniBand Tejus

Designing and Evaluating MPI-2 Dynamic Process Management Support for InfiniBand Tejus

Designing and Evaluating MPI-2 Dynamic Process Management Support for InfiniBand Tejus Gangadharappa, Matthew Koop and Dhabaleswar. K. (DK) Panda Computer Science & Engineering Department The Ohio State University Outline Motivation

305 views • 28 slides
p 0 topology reconstruction - update Dorota Stefan and Robert Sulej 35ton sim/reco meeting 1 p 0

p 0 topology reconstruction - update Dorota Stefan and Robert Sulej 35ton sim/reco meeting 1 p 0

p 0 topology reconstruction - update Dorota Stefan and Robert Sulej 35ton sim/reco meeting 1 p 0 reconstruction chain in 35t Hadronic interactions, cosmic muons: track reconstruction subtraction of hadron/muon hits at 3d level. Would

370 views • 12 slides
1 / 24 Theorem Let A be a commutative Q -algebra 1 / 24 Theorem Let A be a commutative Q

1 / 24 Theorem Let A be a commutative Q -algebra 1 / 24 Theorem Let A be a commutative Q

1 / 24 Theorem Let A be a commutative Q -algebra 1 / 24 Theorem Let A be a commutative Q -algebra, a , b A such that a 3 b + a = b 3 a + b = a 2 b 2 + 1 = 0 . 1 / 24 Theorem Let A be a commutative Q -algebra, a , b A such that a 3 b + a

1.77k views • 138 slides

More recommend