Randomization Can't Stop BPF JIT Spray

Presented at Black Hat Europe 2016, Nov. 4, 2016, noon (30 minutes)

Linux Berkeley Packet Filters (BPF) is a mechanism that was originally introduced in Linux kernel 2.5 as a way to perform fast line-speed filtering of network packets. In Linux kernel 3.0 a Just-In-Time (JIT) compiler was added, effectively transforming it into a general-purpose mechanism to safely support interpreted code injected into a Linux kernel. In fact, it has been even called the "universal in-kernel virtual machine" [1]. Nowadays BPF usages are not limited just by packet filtering, but are also used in mechanisms such as seccomp [2], various tracepoints [3] and others, making it an attractive target for an attacker. The original JIT-spray attack against BPF JIT compiler was first described in 2012 [4] with the proof of concept implementation available [5]. It used the ability to pass the exploit payload as constants in BPF instructions and the fact that filter address was relatively easy to guess given enough filters loaded in the kernel. After that the upstream kernel merged patches that addressed the attack by randomizing the load offset of a filter. However, this didn't remove the actual problem (possibility of providing payload in BPF instructions) but only stopped the original proof of concept code from working. It was thought that this is a sufficient mitigation to the attack because the difficulty of guessing the correct load offset was very high.<br><br>This talk will present a modified proof of concept code [6] that demonstrates the possibility of successful BPF JIT-spray attack on the 4.4 upstream Linux kernel. The idea of the modification is to create long enough filters to make sure they spawn beyond one memory page and render the payload in a way that random jumps to page start with a small offset search is enough to guess the payload address. The attack was first announced on Linux kernel-hardening mailing list in march this year and got a considerable attention in the grsecurity forum post [7] and LWN front page [8].The kernel patches that address this attack were merged to upstream kernel [9] and expected to appear for 4.7. <br><br>Sources:<br>[1] https://lwn.net/Articles/599755/<br>[2] https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt<br>[3] https://lwn.net/Articles/632686/<br>[4] http://mainisusuallyafunction.blogspot.fi/2012/11/attacking-hardened-linux-systems-with.html<br>[5] https://github.com/kmcallister/alameda<br>[6] https://github.com/01org/jit-spray-poc-for-ksp<br>[7] https://forums.grsecurity.net/viewtopic.php?t=4463&p=16260#p16260<br>[8] https://lwn.net/Articles/686098/<br>[9] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f3446bb809f20ad56cadf712e6006815ae7a8f9


  • N. Asokan - Professor, AALTO University and University of Helsinki
    Asokan is a professor of computer science at Aalto University and University of Helsinki. He leads the Secure Systems research group and is the lead academic PI for ICRI-SC in Finland.
  • Filippo Bonazzi - Research Assistant, Aalto University
    Filippo Bonazzi is a research assistant in the Secure Systems Group at Aalto University, working on various platform security projects. His past research includes work on SEAndroid, and he is currently interested in kernel hardening and embedded system security and privacy.
  • Elena Reshetova - Security Researcher & Architect, Intel OTC Finland
    Elena Reshetova is a Security Architect and researcher at the Intel Open Source Technology Center working with various Open Source platform security projects across the whole Linux platform security community. Her current research area involves exploring various OS virtualization and hardening solutions and their applicability for mobile or embedded security use cases. Elena is also a doctoral student at the Aalto University Secure Systems Group and part of Intel Collaborative Research Institute for Secure Computing (ICRI-SC).


Similar Presentations: