Demonstrating Attacks against Dangling Pointer Scanners
Demonstrating Attacks against Dangling Pointer Scanners
Supervisor(s): | Marius Momeu |
Status: | finished |
Topic: | Others |
Author: | Florian Förg |
Submission: | 2025-03-04 |
Type of Thesis: | Bachelorthesis |
DescriptionUse-After-Free vulnerabilities are one of the most crucial security threats in low-level programming languages. Dangling pointers occur when manual memory management is handled insecurely, resulting in references to memory locations that have already been freed or deallocated. Research has focused on developing measures to make exploitation more difficult. One of them is pointer scanning, which aims to detect insecure pointers. The memory the discovered dangling pointers reference is blocked for reallocation as long as the reference remains in place. However, these scanners are susceptible to being vulnerable themselves. This paper introduces three attacks against pointer scanners. We demonstrate the applicability of the exploitation methods on Linux kernel v6.2.0 using the pointer scanner of the heap-hardening extension Safeslab. The first attack targets a scanner that runs concurrently with other processes. We leverage its parallel execution to hide a dangling pointer during the scan. To create the dangling pointer we utilize CVE-2022-32250. It enables a use-after-free in the Netfilter subsystem. Additionally, we exploit a TLB side-channel to predict the start of the next scan. By accurately timing our actions, we can move the dangling pointer to a page that has already been scanned, thereby hiding it. Our experiments demonstrate that while we can conceal the pointer in some cases, the method is not reliable due to concurrency issues. The second attack targets scanners that employ a conservative scanning approach. We exploit Linux’s inter-process communication system to insert false positive values that the scanner mistakenly identifies as pointers, which can lead to an out-of-memory error. In an additional experiment, we use file operations to insert the values. Both methods are found to be feasible, and the second method beats the mitigation technique hardened-user-copy. In a similar manner as before, the last attack aims to cause false positives in the kernel. However, the values are no longer inserted but crafted in the memory. This method enhances stability against scanner hardenings related to user input tracking. However, our experiments indicate that the attack is not feasible due to scalability issues, given system limits. Keywords kernel security, heap hardening, pointer scanners, concurrent, conservative |