RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections
long vuln_ioctl (...) 2 { 3 switch
tải về 0.65 Mb. Chế độ xem pdf
|
| long
vuln_ioctl (...) 2 { 3 switch (cmd) { 4 case CMD_VULN : 5 obj = kzalloc( sizeof (vuln_obj_t), GFP_KERNEL); 6 copy_from_user(obj, arg, sizeof (obj)); 7 case CMD_TRIGGER : 8 obj -> func(); 9 } 10 } Listing 3: The simplified code snippet of the contrived vul- nerable kernel module. accurately measure its success rate in bypassing protections, we use a synthetic vulnerability to guarantee CFHP. More specifically, we write a vulnerable kernel module that contains a contrived vulnerability that provides CFHP to simulate real-world exploit scenarios. We do not use real-world exploits for this evaluation because the unreliability of real-world kernel exploits in providing CFHP [75] will affect our measurement of RetSpill’s effectiveness. The gist of the vulnerable kernel module is shown in Listing 3. RANDKSTACK. We compile a Linux kernel on x86_64 architec- ture with the default configuration and enable RANDSTACK. Since RANDKSTACK adds a random offset on kernel stack, which can only mitigate Preserved Registers and Uninitialized Memory data spillage methods, in our RetSpill exploit, we only use Preserved Registers to put user data on the kernel stack to evaluate this mit- igation objectively. Our RetSpill exploit aims to obtain privilege escalation using the commit_creds(init_cred) payload. We perform 5000 trials each on the kernel with panic_on_oops on and off. In each trial, we insert the vulnerable kernel module and then repetitively run the exploit until it succeeds or crashes the kernel, following the previous work’s method [75]. The result shows that RetSpill can achieve 100% success rate on systems with panic_on_oops off. Even with panic_on_oops on, the RetSpill ex- ploit can still achieve 25.44% success rate, which is non-negligible. Since panic_on_oops is off by default on most Linux distributions as shown in Table 3, this suggests that even with RANDKSTACK on, RetSpill can achieve 100% success rate on most Linux distributions. Notice that the 25.44% is achieved when the attacker only relies on Preserved Registers or Uninitialized Memory for data spillage. If they use Valid Data or Calling Convention for data spillage, this mit- igation cannot provide any protection. In other words, if attackers can use Valid Data and Calling Convention to perform data spillage (which is common according to Table 4), they can still achieve 100% success rate despite the presence of RANDKSTACK. KCFI/IBT. We simulate a vulnerability that grants PC-control in kernels compiled with CFI schemes by modifying the vulnerable ker- nel module used in the previous setup. More specifically, the func- tion pointer is directly invoked using __x86_indirect_thunk_rdi that transforms forward-edge control-flow transition to backward- edge control-flow transition, which is not protected by the CFI schemes. This setting is realistic, as discussed in §5. We successfully performed CFH attacks and obtained privilege escalation on kernels compiled with KCFI and IBT using RetSpill. The success is because KCFI and IBT only protect forward-edge control flow. Once PC-control is obtained, RetSpill does not rely on the ability to hijack forward-edge control flow again because one initial CFHP is enough for using data spilled on the kernel … Saved %rip Saved %rbp Stack Canary User Data … %rsp (a) Unhardened Stack Frame (b) Hardened Stack Frame %rsp … Saved %rip Saved %rbp Stack Canary User Data tải về 0.65 Mb. Chia sẻ với bạn bè của bạn:
|