Hands Off and Putting SLAB/SLUB Feng Shui in a Blackbox

Presented at Black Hat Europe 2019, Dec. 4, 2019, 3:40 p.m. (50 minutes).

Successful exploitation against a Linux kernel vulnerability requires the manipulation of memory layout. Over the past years, security researchers have already invented and summarized various memory layout manipulation mechanisms. However, it is still challenging for an attacker to use these manipulation mechanisms to perform exploitation in the real world. This is mainly because an adversary lacks the following knowledge -- (1) which system calls to use to allocate an object of interest and (2) how to systematically adjust system calls to obtain the desired memory layout.

In order to perform exploitation, an adversary needs to select memory layout manipulation approaches and then place the corresponding object. Take an out-of-bounds (OOB) vulnerability for example. In order to hijack the control flow, one should overwrite the critical data in the adjacent object. However, it is common that the adjacent object may not contain critical data such as function or object pointers. Therefore, the most common operation for an adversary is to allocate an appropriate object to the corresponding location prior to the trigger of that vulnerability. For this particular example, it should be an object with a pointer placed at the position adjacent to the vulnerable object. In addition, the adversary has to ensure the OOB vulnerability gives him the freedom to overwrite the data at the address corresponding to the target pointer.

In the Linux kernel, SLUB/SLAB allocator manages and groups data objects based on their types and sizes. Only the data objects sharing the same type and similar sizes could be placed in the same slab. As a result, when selecting appropriate objects for memory layout manipulation, an adversary has to take the vulnerable object into consideration and select only those objects that could be placed on the same slab.

According to our measurement, the Linux kernel has thousands of distinct data objects with various sizes and types. In order to allocate them to the slab, an adversary has to utilize corresponding system calls. Unfortunately, given a target object that could be potentially helpful for obtaining control over the program counter, it is generally difficult for the adversary to identify the corresponding system call to allocate that target object. Presumably as such, many vulnerabilities have not yet demonstrated their exploitability publicly. And, the lack of knowledge about system calls also leads adversaries to repeatedly employ the same data objects to perform exploitation. According to recent studies, this repeated data object usage facilitates security analysts to build intrusion signatures and thus ease their identification for the potential intrusion.

In fact, even if an adversary tracks down the system calls for a particular object, it is still difficult for him to obtain the desired memory layout. This is because, when allocating the target object, in addition to the object of interest, the system calls identified also allocate or deallocate other kernel objects, resulting in unexpected variation in memory layout. Take the aforementioned OOB case for example again. The OOB vulnerability provides an adversary with the ability to overwrite critical data in its neighbor object. Using a set of system calls, an adversary could allocate a victim object containing a function or object pointer on the target slab. However, along with the allocation of the victim object, the system calls at the first place might allocate irrelevant kernel objects, which makes the victim object turn out to be at an unexpected spot. When this situation occurs, adversaries typically look for alternative system calls or adjust memory layout in an ad-hoc manner. In practice, it is not guaranteed to find a memory layout through these two approaches. As a result, the side effect involved by system calls further reduces the number of system calls available and even jeopardizes the exploitability of that vulnerability.

In this talk, we will introduce a precise automated memory layout manipulation technique. We will demonstrate that using this manipulation technique, an attacker could not only easily identify the system calls tied to the objects of interest but, more importantly, automatically assemble system calls to adjust memory layout and thus obtain the desired memory layout useful for exploitation. Different from existing automated memory layout manipulation techniques, our technique does not use a large corpus of testing cases to search the memory layout desired. Rather, it first leverages a static analysis technique to identify all the system calls potentially helpful for object allocation and free. Then, it utilizes the system calls as prior knowledge to allocate and deallocate objects on the slab and thus obtain the memory layout useful for exploitation. In the process of memory layout manipulation, our technique is guided by an algorithm. Along with this talk, we will specify how we design this algorithm and showcase how it automates memory layout manipulation. Along with this talk, we will also release various working exploits against 30+ latest kernel vulnerabilities. These exploits are designed through our memory layout manipulation technique. For the ease of reviewers to assess of our talk, we have uploaded some exploits at https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0


Presenters:

  • Yueqi Chen - PhD Student, The Pennsylvania State University
    <p class="p1"><span class="s1" style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Yueqi (Lewis) Chen received his B.Sc degree from Nanjing University in 2017 and is currently a PhD student with Dr. Xinyu Xing at Pennsylvania State University. His research focuses on OS security and vulnerability analysis. He is particularly interested in the exploitability assessment. Along this thread, he has published 5 papers in ACM CCS, USENIX Security, and IEEE/ACM ASE as leading author and co-authors over the past two years. His work has been applied in enterprise security risk early warning and awarded one of ten technical events of JD.com in 2018. Besides, he participated in DEF CON 26 CTF Final as a team member of r3kapig in 2018 and ranked 5th in NSA codebreaker 2017. More information can be found at <a href="https://protect-us.mimecast.com/s/YK72Co2vOqfr0vXvgc1HHiV?domain=personal.psu.edu" data-mce-href="https://protect-us.mimecast.com/s/YK72Co2vOqfr0vXvgc1HHiV?domain=personal.psu.edu"><span class="s2">http://www.personal.psu.edu/yxc431/</span></a>.</span></p>
  • Xinyu Xing - Assistant Professor, The Pennsylvania State University
    <p class="p1"><span class="s1" style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Dr. Xinyu Xing is an Assistant Professor at Pennsylvania State University. In addition, he wears another hat as a research consultant at JD.com. His research interest includes exploring, designing and developing new techniques to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. Recently, his research has been expanded to developing deep learning techniques to perform highly accurate binary and malware analysis. His past research has been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes, etc. Going beyond academic research, he also helps organize CTF competitions. </span></p>
  • Jimmy Su - Senior director, JD SECURITY RESEARCH CENTER IN SILICON VALLEY
    Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye's first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song's team as a post doc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.

Links:

Similar Presentations: