Hanging with Dangling Pointers in Linux Kernel

Presented at THOTCON 0xA (2019), May 3, 2019, noon (120 minutes).

This presentation aims to serve as a primer on Linux kernel exploitation. Specifically, we will show how to go from a use-after-free vulnerability (UAF) to arbitrary code execution. In the presentation we first introduce fundamentals behind Linux kernel to understand the flaw, how it was fixed, and then validate the vulnerability using kernel-level functionality. Next, we explore how to trigger the UAF vulnerability from user space and construct a proof-of-concept code that reliably leads to a kernel crash. In the second part of the talk we show how to exploit the vulnerability through an object under our control (in place of the freed object) and introduce a general UAF exploit strategy of probabilistic memory overwriting. Finally, we demonstrate how to achieve code execution and bypass some hardware protection mechanisms (e.g., SMAP / SMEP). While we focus on exploitation of UAF vulnerabilities in Linux kernel the scope of the presentation is pertinent to fundamental functionality present in systems software such as processing (scheduler, threads, synchronization), memory allocators, storage (virtual file system) and networking (sockets). Our hope is that the presented concepts will spur new ideas in offensive research of systems software.


Presenters:

  • Edgar Pek
    Edgar Pek is a security researcher working on application security. During his PhD he worked on correctness of systems software.

Similar Presentations: