Description
Use-After-Free vulnerabilities are one of the most crucial security threats in low-level
programming languages. Dangling pointers occur when manual memory management
is handled insecurely, resulting in references to memory locations that have already
been freed or deallocated. Research has focused on developing measures to make
exploitation more difficult. One of them is pointer scanning, which aims to detect
insecure pointers. The memory the discovered dangling pointers reference is blocked
for reallocation as long as the reference remains in place. However, these scanners are
susceptible to being vulnerable themselves.
This paper introduces three attacks against pointer scanners. We demonstrate the
applicability of the exploitation methods on Linux kernel v6.2.0 using the pointer
scanner of the heap-hardening extension Safeslab. The first attack targets a scanner
that runs concurrently with other processes. We leverage its parallel execution to
hide a dangling pointer during the scan. To create the dangling pointer we utilize
CVE-2022-32250. It enables a use-after-free in the Netfilter subsystem. Additionally,
we exploit a TLB side-channel to predict the start of the next scan. By accurately
timing our actions, we can move the dangling pointer to a page that has already been
scanned, thereby hiding it. Our experiments demonstrate that while we can conceal
the pointer in some cases, the method is not reliable due to concurrency issues. The
second attack targets scanners that employ a conservative scanning approach. We
exploit Linux’s inter-process communication system to insert false positive values that
the scanner mistakenly identifies as pointers, which can lead to an out-of-memory
error. In an additional experiment, we use file operations to insert the values. Both
methods are found to be feasible, and the second method beats the mitigation technique
hardened-user-copy. In a similar manner as before, the last attack aims to cause false
positives in the kernel. However, the values are no longer inserted but crafted in the
memory. This method enhances stability against scanner hardenings related to user
input tracking. However, our experiments indicate that the attack is not feasible due to
scalability issues, given system limits.
Keywords
kernel security, heap hardening, pointer scanners, concurrent, conservative
|
