An Analysis of Linux Kernel Heap Hardening

Dr Silvio Cesare
@silviocesare


Summary 

I wrote a blog post some months ago on weaknesses in the Linux kernel heap free list pointer hardening implementation. In response to that weakness, Kees Cook wrote an improved kernel patch, which I reviewed. This blog post is an analysis of that patch. I try to break it using an SMT solver and fail.

Introduction

In the original kernel slab free list hardening patch, the free list pointer was scrambled to prevent naive free list pointer corruption and poisoning.

The scrambling consisted of:

obfuscated_ptr = ptr ^ ptr_addr ^ secret

The weakness in this approach was because ptr and ptr_addr were part of the same slab, they were highly similar. In fact, only the low bits were different. As such, the obfuscated_ptr revealed almost the entire secret. The blog post where I talk about this is here https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html.

A subsequent patch was written by Kees Cook in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1ad53d9fa3f6168ebcf48a50e08b170432da2257 to improve the pointer scrambling and he asked me for feedback at the time. I think this is a fantastic thing that the Linux kernel team actively works with security researchers.

The improved patch changes the use of ptr_addr:

obfuscated_ptr = ptr ^ swab(ptr_addr) ^ secret

swab swaps the byte order.

The question is, can we recover information, such as the secret or the pointer, from the obfuscated pointer?

SMT Analysis

The approach I use to analyse the patch is to represent the scrambling operation as a set of SMT constraints. I will then query the SMT solver to see if I can infer secret information.

Here are the equations:

    equations = [
        ptr & ~0xfff == ptr_addr & ~0xfff,
#        ptr == ptr_addr + 0x20,
        ptr & 0xf == 0,
        ptr_addr & 0xf == 0,
        ptr_addr_swab_0 == (LShR(ptr_addr,  0) & 0xff) << 56,
        ptr_addr_swab_1 == (LShR(ptr_addr,  8) & 0xff) << 48,
        ptr_addr_swab_2 == (LShR(ptr_addr, 16) & 0xff) << 40,
        ptr_addr_swab_3 == (LShR(ptr_addr, 24) & 0xff) << 32,
        ptr_addr_swab_4 == (LShR(ptr_addr, 32) & 0xff) << 24,
        ptr_addr_swab_5 == (LShR(ptr_addr, 40) & 0xff) << 16,
        ptr_addr_swab_6 == (LShR(ptr_addr, 48) & 0xff) <<  8,
        ptr_addr_swab_7 == (LShR(ptr_addr, 56) & 0xff) <<  0,
        ptr_addr_swab == ptr_addr_swab_0 +
                         ptr_addr_swab_1 +
                         ptr_addr_swab_2 +
                         ptr_addr_swab_3 +
                         ptr_addr_swab_4 +
                         ptr_addr_swab_5 +
                         ptr_addr_swab_6 +
                         ptr_addr_swab_7,
        stored_value == secret ^ ptr ^ ptr_addr_swab,
    ]


We will use some testing data that Kees Cook produced to go along with his kernel patch:

#ptr              ptr_addr            stored value      secret
#ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
#ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
#ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
#ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
#ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)

* The first thing we will query is can we recover the secret given only the obfuscated pointer?

The answer is No. Given only obfuscated pointer, there are a very large number of possible candidates for the secret. And there are no collisions where different secrets produce the correct result.

* The next thing we will ask, is if we have an infoleak of the pointer (ptr) and the obfuscated pointer (stored value), but not the ptr_addr, can we recover the secret?

The answer is yes. In the test data above, we can make some assumptions about ptr and ptr_addr. 1) Only the low 12 bits between them are different. 2) For this allocation pattern, since we are allocating fixed size chunks, then the very low bits to force a chunk alignment are zero.

If we ask our SMT solver what the secret is, given ptr and the stored value, there are 256 candidate secrets.

If we assume ptr_addr is offset by 0x20 to ptr, then we can come up with a single solution.

Conclusion

In this blog post, I looked at a new addition to the Linux kernel heap hardening. I tried to attack it using an SMT solver to recover the secret value used in the free list pointer scrambling. I failed. The patch represents an improvement over the previous hardening attempt.




Comments

  1. Harrycod16 September 2020 at 22:38

    Your content that you have posted here is fantastic that will not confuse the person but surely impress and attract the readers. Your blog forces others to visit your website daily. The best part of your writing is that your work helps us in understanding the hardest things in just a simple and easy manner. It is such an unusual thing that you concise your writing in an effective way. afs global link login

    ReplyDelete
  2. Harry Oliver Krock16 September 2020 at 22:44

    Hi admin... Extremely, this article is incredibly one of the most entirely great all through the entire nearness of articles. I am an antique 'Article' discoverer and I every so often read some new articles on the off chance that I discover them spellbinding. Also, I discovered this one absolutely interesting and it ought to go into my course of action. Generally phenomenal work. gogoanime

    ReplyDelete
  3. Ana Cyber16 June 2021 at 09:56

    The purpose of operating system hardening is to eliminate as many security risks as possible. As a cyber security company and ISO consultants in Mumbai, I found this information helpful. Great blog.

    ReplyDelete
  4. Unknown22 October 2021 at 07:03

    The weakness in this approach was because ptr and ptr_addr were part of the same slab!! Free Backlink List

    ReplyDelete
    Replies
    1. Ken15 April 2022 at 07:39

      I wish you can explain it more further. Thanks

      check here

      Delete
  5. Norris Evans18 November 2021 at 02:42

    Great article by the great author, it is very massive and informative but still preaches the way to sounds like that it has some beautiful thoughts described so I really appreciate this article. Best interior gateway protocols service provider

    ReplyDelete
  6. Miraj Khan20 November 2021 at 23:32

    nice information...Good blog. If you want want know, more click here.
    kim kardashian wedding hair
    lifestyle 5e
    5e lifestyle

    ReplyDelete
  7. Norris Evans25 November 2021 at 03:38









    It's very nice of you to share your knowledge through posts. I love to read stories about your experiences. They're very useful and interesting. I am excited to read the next posts. I'm so grateful for all that you've done. Keep plugging. Many viewers like me fancy your writing. Thank you for sharing precious information with us. linux cheat sheet commands

    ReplyDelete
  8. high technologies solutions28 November 2021 at 03:30

    Big thank you for sharing this post its very knowledgeable and very helpful i hope that you will continue to post these kinds of contents in future apart from that if anyone looking for e accounting institute in delhi so Contact Here-+91-9311002620 Or Visit Website- https://www.htsindia.com/Courses/Tally/e-accounting-training-course

    ReplyDelete
  9. Lorriel Sims26 January 2022 at 09:23

    This tool is able to identify programming errors like access to basement renovations atlanta ga

    ReplyDelete
  10. Therese6 April 2022 at 09:20

    Appreciate you sharing this informative article. Thank you for sharing your thoughts. find a psychic near me

    ReplyDelete
  11. Ken15 April 2022 at 07:37

    This is a helpful synopsis! Thanks


    www.complete-image.com/

    ReplyDelete
  12. Beckman18 April 2022 at 02:30

    Great blog. Glad to found it. foundation repair kansas city

    ReplyDelete
  13. Horea18 April 2022 at 06:48

    This is also my choice at all times.

    replace social security card

    ReplyDelete
  14. Allie Rice18 April 2022 at 07:20

    This OS is so nostalgic and I guess if this works great these days, I'm surely be using it.

    commercial window cleaning cincinnati ohio

    ReplyDelete
  15. Beckman19 April 2022 at 07:39

    Nice website. Concrete repair omaha

    ReplyDelete
  16. Lewis21 April 2022 at 18:24

    This comment has been removed by the author.

    ReplyDelete
  17. Lewis21 April 2022 at 18:28

    This comment has been removed by the author.

    ReplyDelete
  18. Liam21 April 2022 at 18:31

    Appreciate you sharing this detailed educational article. Keep us posted!
    travel nurse agency

    ReplyDelete
  19. dash194929 April 2022 at 21:26

    Very nice blog, gotta love it mobile auto detailing west covina

    ReplyDelete

Post a Comment

Popular posts from this blog

C++ Memory Corruption (std::vector) - part 2

Summary This is the 2nd part of the C++ memory corruption series*. In this post, we'll look at corrupting the std::vector class in Linux and see what exploitation primitives we can gain. We'll see that we can build arbitrary read/write primitives. * https://blog.infosectcbr.com.au/2020/08/c-memory-corruption-part-1.html   Author: Dr Silvio Cesare Introduction C++ is a common language for memory corruption. However, there is much more literature on exploiting C and not C++ programs. C++ presents new classes, objects, and data structures which can all be effectively used for building exploitation primitives.  In this post, we'll look at the std::vector class and see what specific primitives we can obtain.  Let's start by looking at /usr/include/c++/bits/stl_vector.h namespace std _GLIBCXX_VISIBILITY ( default ) { _GLIBCXX_BEGIN_NAMESPACE_VERSION _GLIBCXX_BEGIN_NAMESPACE_CONTAINER /// See bits/stl_deque.h's _Deque_base for an explanation. template < typename
Read more

Pointer Compression in V8

Image
Syed Faraz Abrar @farazsth98   Summary In this blog post, I will provide some details on how the Chromium developers implemented pointer compression in V8. I will also talk about what this means from an exploit development perspective. Introduction I’ve been an intern at InfoSect for the past couple of weeks now, and in this time, I’ve had to do a bunch of security related research into both V8 and Spidermonkey. One of the things that I spent a short amount of my time on was pointer compression in V8. I hadn’t heard of the term at all until Bruno Keith ( @bkth_ ) mentioned it on twitter some time in December last year. The V8 developers also made a blog post to celebrate V8 v8.0 where they mentioned that implementing pointer compression had allowed them to save up to 40% in usage of heap memory! That’s a big improvement, so let’s take a look at what pointer compression is and what it means from an exploit developer’s perspective. Disclaimer This is not intended to
Read more

Linux Kernel Stack Smashing

Dr Silvio Cesare @silviocesare   Summary In this blog post I’ll discuss how to exploit the Linux kernel via a stack smashing attack. I’ll be attacking the latest kernel version. I’ll also introduce a vulnerable device driver that I wrote so that I can focus on the exploitation development and not the vulnerability research.  A number of mitigations were introduced in recent years, such as Kernel Page Table Isolation and control register pinning, which makes some previous techniques obsolete. Techniques like ret2usr no longer work. But regardless, I am able to privesc and gain a rootshell. An overview of the attack The attack can be split up into a number of stages: ·         Defeat KASLR ·         Leak the stack canary ·         Stack smash and overwrite the canary and return address to trigger a ROP chain ·         ROP to change the current creds to UID 0 ·         ROP into the code that returns from a system call and continues execution i
Read more