SLUBStick: Linux Kernel Exploitation with Cross-Cache Attacks

by do son · August 1, 2024

Linux kernel exploit - SLUBStick - Cross-Cache Attacks

Security researchers Lukas Maar, Stefan Gast, Martin Unterguggenberger, Mathias Oberhuber, and Stefan Mangard from the Graz University of Technology have discovered a new way to exploit vulnerabilities in the Linux kernel, the core of the operating system. This new technique, called SLUBStick, could allow attackers to gain complete control over a system, even if it has modern security defenses in place.

The Linux kernel, integral to numerous operating systems, has seen a significant rise in identified vulnerabilities over the years. Traditionally, these vulnerabilities have been challenging to exploit due to their limited capabilities, often restricted to corrupting a few bytes within allocator caches. Kernel developers and security researchers have responded by implementing robust defenses, including Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Access Prevention (SMAP), and Kernel Control Flow Integrity (kCFI). Additionally, the kernel allocator’s design, emphasizing coarse-grained heap separation, has aimed to confine the impact of heap vulnerabilities, further complicating exploitation efforts.

SLUBStick revolutionizes kernel exploitation by converting limited heap vulnerabilities into powerful arbitrary memory read-and-write capabilities. This technique hinges on exploiting a timing side channel within the kernel’s allocator, dramatically increasing the success rate of cross-cache attacks to over 99%. This leap in reliability makes previously impractical attacks viable, enabling attackers to manipulate memory with unprecedented precision.

The SLUBStick technique operates through a multi-stage process:

Timing Side-Channel Exploitation: By leveraging side-channel leakage, SLUBStick reliably performs cross-cache attacks, significantly enhancing their success rate for generic caches.
Memory Reclamation Manipulation: The technique exploits code patterns prevalent in the Linux kernel to convert limited heap vulnerabilities into powerful memory manipulation tools.
Arbitrary Memory Access: SLUBStick manipulates page tables, granting attackers the ability to read and write memory arbitrarily. This capability is demonstrated through systematic analysis and successful exploitation of both synthetic vulnerabilities and real-world CVEs.

The researchers who discovered SLUBStick tested it on Linux kernel, v5.19 and v6.2, and found that it was effective on both. They also tested it with a variety of real-world vulnerabilities and found that it could be used to escalate privileges and escape containers, a type of isolation mechanism used in cloud computing.

The researchers have responsibly disclosed their findings to the Linux kernel security team, and patches are expected to be released soon. In the meantime, users are advised to keep their systems up-to-date and to be cautious about running untrusted code.

For a deeper dive into the technical intricacies and implications of SLUBStick, readers are encouraged to explore the full paper by Maar, Gast, Unterguggenberger, Oberhuber, and Mangard.