More Web Proxy on the site http://driver.im/

research-article

Public Access

RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections

Authors:

Yan Shoshitaishvili,

Tiffany BaoAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 3093 - 3107

https://doi.org/10.1145/3576915.3623220

Published: 21 November 2023 Publication History

Abstract

Leveraging a control flow hijacking primitive (CFHP) to gain root privileges is critical to attackers striving to exploit Linux kernel vulnerabilities. Such attack has become increasingly elusive as security researchers propose capable kernel security mitigations, leading to the development of complex (and, as a trade-off, brittle and unreliable) attack techniques to regain it. In this paper, we obviate the need for complexity by proposing RetSpill, a powerful yet elegant exploitation technique that employs user space data already present on the kernel stack for privilege escalation.

RetSpill exploits the common practice of temporarily storing data on the kernel stack, such as when preserving user space register values during a switch from the user space to the kernel space. We perform a systematic study and identify four common practices that spill user space data to the kernel stack. Although this practice is perfectly within the kernel's security specification, it introduces a new exploitation path when paired with a control flow hijacking (CFH) vulnerability, enabling RetSpill to turn such vulnerabilities directly into privilege escalation reliably. Moreover, RetSpill can bypass many defenses currently deployed in the Linux kernels. To demonstrate the severity of this problem, we collected 22 real-world kernel vulnerabilities and built a semi-automated tool that abuses intentionally-stored, on-stack user space data for kernel exploitation in a semi-automated fashion. Our tool generated end-to-end privilege escalation exploits for 20 out of 22 CFH vulnerabilities. Finally, we propose a new mechanism to defend against the attack.

References

[1]

sefcom/kheaps. https://github.com/sefcom/KHeaps/blob/master/exploit _env/ CVEs/CVE-2017-7533/poc/poc_cfh_combo.c.

[2]

angr team. angr/angrop. https://github.com/angr/angrop.

[3]

Tyler Bletsch, Xuxian Jiang, Vince W Freeh, and Zhenkai Liang. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM symposium on information, computer and communications security, pages 30--40, 2011.

Digital Library

[4]

Hao Chen, David Wagner, and Drew Dean. Setuid demystified. In 11th USENIX Security Symposium (USENIX Security 02), 2002.

Digital Library

[5]

Weiteng Chen, Xiaochen Zou, Guoren Li, and Zhiyun Qian. {KOOBE}: Towards facilitating exploit generation of kernel {Out-Of-Bounds} write vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20), pages 1093--1110, 2020.

[6]

Yueqi Chen, Zhenpeng Lin, and Xinyu Xing. A systematic study of elastic objects in kernel exploitation. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1165--1184, 2020.

Digital Library

[7]

Yueqi Chen and Xinyu Xing. Slake: Facilitating slab manipulation for exploiting vulnerabilities in the linux kernel. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 1707--1722, 2019.

Digital Library

[8]

Haehyun Cho, Jinbum Park, Joonwon Kang, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, and Gail-Joon Ahn. Exploiting uses of uninitialized stack variables in linux kernels to leak kernel pointers. In 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2020.

[9]

Tobias Cloosters, David Paaßen, Jianqiang Wang, Oussama Draissi, Patrick Jauernig, Emmanuel Stapf, Lucas Davi, and Ahmad-Reza Sadeghi. Riscyrop: Automated return-oriented programming attacks on risc-v and arm64. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, pages 30--42, 2022.

Digital Library

[10]

Kees Cook. Kernel address space layout randomization. https://lwn.net/Articles/ 546035/, 2013.

[11]

Kees Cook. Hardened usercopy. https://lwn.net/Articles/693745/, 2016.

[12]

Jonathan Corbet. Supervisor mode access prevention. https://lwn.net/Articles/ 517475/, 2012.

[13]

Dino Dai Zovi. Practical return-oriented programming. Source boston, 2010.

[14]

Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. Pt-rand: Practical mitigation of data-only attacks against page tables. In NDSS, 2017.

[15]

Vincent Dehors. Exploitation of a double free vulnerability in ubuntu shiftfs driver. https://www.synacktiv.com/en/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html, 2021.

[16]

Rémi Denis-Courmont, Hans Liljestrand, Carlos Chinea, and Jan-Erik Ekberg. Camouflage: Hardware-assisted cfi for the arm linux kernel. In 2020 57th ACM/IEEE Design Automation Conference (DAC), pages 1--6. IEEE, 2020.

[17]

Marco Elver. stack: Introduce config_randomize_kstack_offset. https: //lore.kernel.org/lkml/YfQ54x8zglPT%[email protected]/t/#u, 2022.

[18]

Nicolas FABRETTI. Cve-2017-11176: A step-by-step linux kernel exploitation. https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html.

[19]

FizzBuzz101. Will's root: Cve-2022-0185. https://www.willsroot.io/2022/01/cve-2022-0185.html, 2022.

[20]

Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. Fine-grained control-flow integrity for kernel software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pages 179--194. IEEE, 2016.

[21]

Enes Göktas, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida. Speculative probing: Hacking blind in the spectre era. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1871--1885, 2020.

Digital Library

[22]

Google. Kernel control flow integrity. https://source.android.com/docs/security/ test/kcfi.

[23]

Google. Kernel exploit recipes notebook -google docs. https://docs.google.com/ document/d/1a9uUAISBzw3ur1aLQqKc5JOQLaJYiOP5pe_B4xCT1KA/edit#.

[24]

Grimm. Notquite0dayfriday/2021.03.12-linux-iscsi at trunk · grimm-co/notquite0dayfriday. https://github.com/grimm-co/NotQuite0DayFriday/tree/ trunk/2021.03.12-linux-iscsi.

[25]

Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. Kaslr is dead: long live kaslr. In International Symposium on Engineering Secure Software and Systems, pages 161--176. Springer, 2017.

[26]

Garrett Gu and Hovav Shacham. Return-oriented programming in risc-v. arXiv preprint arXiv:2007.14995, 2020.

[27]

Isovalent. Detecting a container escape with cilium and ebpf - isovalent. https: //isovalent.com/blog/post/2021-11-container-escape/, 2021.

[28]

Kyriakos K Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. Block oriented programming: Automating data-only attacks. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1868--1882, 2018.

Digital Library

[29]

David Bouman Jayden Rivers. Cve-2022--29582: An io_uring vulnerability. https: //ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/, 2022.

[30]

Xingyu Jin, Christian Resell, Clement Lecigne, and Neal Richard. Monitoring surveillance vendors: A deep dive into in-the-wild android full chains in 2021. https://i.blackhat.com/USA-22/Wednesday/US-22-Jin-Monitoring-Surveillance-Vendors.pdf, 2022.

[31]

Vasileios P Kemerlis, Michalis Polychronakis, and Angelos D Keromytis. ret2dir: Rethinking kernel isolation. In 23rd USENIX Security Symposium (USENIX Security, pages 957--972, 2014.

[32]

Vasileios P Kemerlis, Georgios Portokalidis, and Angelos D Keromytis. {kGuard}: Lightweight kernel protection against {Return-to-User} attacks. In 21st USENIX Security Symposium (USENIX Security 12), pages 459--474, 2012.

[33]

Andrey Konovalov. Project zero: Exploiting the linux kernel via packet sockets. https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html.

[34]

Alexander Lobakin Kristen Carlson Accardi. Function granular kaslr [lwn.net]. https://lwn.net/Articles/832434/, 2020.

[35]

Greg Kroah-Hartman. Introduce static_usermodehelper to mediate call_usermodehelper() - patchwork. https://lore.kernel.org/all/ [email protected]/, 2017.

[36]

Donghyun Kwon, Jiwon Seo, Sehyun Baek, Giyeol Kim, Sunwoo Ahn, and Yun-heung Paek. Vm-cfi: Control-flow integrity for virtual machine kernel using intel pt. In International Conference on Computational Science and Its Applications, pages 127--137. Springer, 2018.

[37]

Dang Le. Learning linux kernel exploitation - part 1. https://lkmidas.github.io/ posts/20210123-linux-kernel-pwn-part-1/#the-simplest-exploit-ret2usr.

[38]

Dang Le. Learning linux kernel exploitation - part 3 - midas blog. https:// lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/, 2021.

[39]

Yoochan Lee, Changwoo Min, and Byoungyoung Lee. {ExpRace}: Exploiting kernel races through raising interrupts. In 30th USENIX Security Symposium (USENIX Security 21), pages 2363--2380, 2021.

[40]

Zhenpeng Lin. How autoslab changes the memory unsafety game. https:// grsecurity.net/how_autoslab_changes_the_memory_unsafety_game, 2021.

[41]

Zhenpeng Lin, Yueqi Chen, Yuhang Wu, Dongliang Mu, Chensheng Yu, Xinyu Xing, and Kang Li. GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs. In 2022 IEEE Symposium on Security and Privacy (S&P), pages 2078--2095. IEEE, 2022.

[42]

Zhenpeng Lin, Yuhang Wu, and Xinyu Xing. Dirtycred: Escalating privilege in linux kernel. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022.

Digital Library

[43]

Linxz. Pax - structleak. https://linxz.tech/post/compilers/2021-10-10-structleak/, 2021.

[44]

Kangjie Lu, Chengyu Song, Taesoo Kim, and Wenke Lee. Unisan: Proactive kernel memory initialization to eliminate data leakages. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 920--932, 2016.

Digital Library

[45]

Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nümberger, Wenke Lee, and Michael Backes. Unleashing use-before-initialization vulnerabilities in the linux kernel using targeted stack spraying. In NDSS, 2017.

[46]

Andy Nguyen. Cve-2021--22555: Turning \x00\x00 into 10000$ | security-research. https://google.github.io/security-research/pocs/linux/cve-2021-22555/ writeup.html, 2021.

[47]

OSDev.org. Supervisor memory protection - osdev wiki. https://wiki.osdev.org/ Supervisor_Memory_Protection.

[48]

Marios Pomonis, Theofilos Petsios, Angelos D Keromytis, Michalis Polychronakis, and Vasileios P Kemerlis. kr? x: Comprehensive kernel protection against just-in-time code reuse. In Proceedings of the Twelfth European Conference on Computer Systems, pages 420--436, 2017.

Digital Library

[49]

Alexander Popov. Cve-2017-2636: Exploit the race condition in the n_hdlc linux kernel driver. https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html, 2017.

[50]

Alexander Popov. Stackleak: A long way to the linux kernel mainline. https: //events19.linuxfoundation.org/wp-content/uploads/2017/11/STACKLEAK-A-Long-Way-to-the-Linux-Kernel-Mainline-Alexander-Popov-Positive-Technologies.pdf, 2018.

[51]

Alexander Potapenko. security: allow using clang's zero initialization for stack variables. https://lwn.net/Articles/823152/, 2020.

[52]

Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P Kemerlis, and Michalis Polychronakis. xmp: Selective memory protection for kernel and user space. In 2020 IEEE Symposium on Security and Privacy (SP), pages 563--577. IEEE, 2020.

[53]

Elena Reshetova. randomize kernel stack offset upon syscall. https://lwn.net/ Articles/785484/, 2019.

[54]

Matteo Rizzo. Kernote writeup. https://org.anize.rs/0CTF-2021-finals/pwn/ kernote, 2021.

[55]

AliAkbar Sadeghi, Salman Niksefat, and Maryam Rostamipour. Pure-call oriented programming (pcop): chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques, 14:139--156, 2018.

[56]

Samsung. Real-time kernel protection (rkp). https://www.samsungknox.com/ en/blog/real-time-kernel-protection-rkp, 2016.

[57]

Edward J Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit hardening made easy. In 20th USENIX Security Symposium (USENIX Security 11), 2011.

[58]

Edward J Schwartz, Cory F Cohen, Jeffrey S Gennari, and Stephanie M Schwartz. A generic technique for automatically finding defense-aware code reuse attacks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1789--1801, 2020.

Digital Library

[59]

Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 2013 IEEE symposium on security and privacy, pages 574--588. IEEE, 2013.

Digital Library

[60]

Sami Tolvanen. Kcfi support [lwn.net]. https://lwn.net/Articles/893164/, 2022.

[61]

Linus Torvalds. Kernel stack documentation. https://docs.kernel.org/x86/kernel-stacks.html.

[62]

Linus Torvalds. Linux kernel calling convention source code. https:// elixir.bootlin.com/linux/v5.17/source/arch/x86/entry/calling.h#L18.

[63]

Linus Torvalds. native_write_cr4. https://elixir.bootlin.com/linux/v6.0/source/ arch/x86/kernel/cpu/common.c#L447.

[64]

Linus Torvalds. Page table isolation (pti) documentation. https://www.kernel.org/ doc/html/latest/x86/pti.html.

[65]

Linux Torvalds. Linux kernel source: arch/x86/include/asm/ptrace.h. https: //elixir.bootlin.com/linux/v5.17/source/arch/x86/include/asm/ptrace.h#L59.

[66]

Linux Torvalds. Linux kernel source code: fs/select.c. https://elixir.bootlin.com/ linux/v5.17/source/fs/select.c#L982.

[67]

Linux Torvalds. Linux kernel source: fs/read_write.c. https://elixir.bootlin.com/ linux/v5.17/source/fs/read_write.c#L899.

[68]

Lun Wang, Usmann Khan, Joseph Near, Qi Pang, Jithendaraa Subramanian, Neel Somani, Peng Gao, Andrew Low, and Dawn Song. {PrivGuard}: Privacy regulation compliance made easier. In 31st USENIX Security Symposium (USENIX Security 22), pages 3753--3770, 2022.

[69]

Yuan Wei, Senlin Luo, Jianwei Zhuge, Jing Gao, Ennan Zheng, Bo Li, and Limin Pan. Arg: Automatic rop chains generation. IEEE Access, 7:120152--120163, 2019.

[70]

Wei Wu, Yueqi Chen, Xinyu Xing, and Wei Zou. {KEPLER}: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In 28th USENIX Security Symposium (USENIX Security 19), pages 1187--1204, 2019.

[71]

Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Xiaorui Gong, and Wei Zou. {FUZE}: Towards facilitating exploit generation for kernel {Use-After-Free} vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18), pages 781--797, 2018.

[72]

Xi Yang, Stephen M Blackburn, Daniel Frampton, Jennifer B Sartor, and Kathryn S McKinley. Why nothing matters: The impact of zeroing. Acm Sigplan Notices, 46(10):307--324, 2011.

Digital Library

[73]

Sungbae Yoo, Jinbum Park, Seolheui Kim, Yeji Kim, and Taesoo Kim. {In-Kernel} {Control-Flow} integrity on commodity {OSes} using {ARM} pointer authentication. In 31st USENIX Security Symposium (USENIX Security 22), pages 89--106, 2022.

[74]

Kyle Zeng. [cve-2022-1786] a journey to the dawn. https://blog.kylebot.net/2022/ 10/16/CVE-2022-1786/.

[75]

Kyle Zeng, Yueqi Chen, Haehyun Cho, Xinyu Xing, Adam Doupé, Yan Shoshi-taishvili, and Tiffany Bao. Playing for {K (H) eaps}: Understanding and improving linux kernel exploit reliability. In 31st USENIX Security Symposium (USENIX Security 22), pages 71--88, 2022.

[76]

Peter Zijlstra. [x86: Kernel ibt beginnings. https://lwn.net/ml/linux-kernel/ [email protected]/, 2021.

[77]

Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, and Zhiyun Qian. SyzS-cope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel. In 31st USENIX Security Symposium (USENIX Security 22), pages 3201--3217, 2022.

Cited By

Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
Ruan BLiu JZhang CLiang Z(2024)KernJC: Automated Vulnerable Environment Generation for Linux Kernel VulnerabilitiesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678891(384-402)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678891

Index Terms

RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security

Recommendations

DirtyCred: Escalating Privilege in Linux Kernel
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

The kernel vulnerability DirtyPipe was reported to be present in nearly all versions of Linux since 5.8. Using this vulnerability, a bad actor could fulfill privilege escalation without triggering existing kernel protection and exploit mitigation, ...
A Measurement Study on Linux Container Security: Attacks and Countermeasures
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Linux container mechanism has attracted a lot of attention and is increasingly utilized to deploy industry applications. Though it is a consensus that the container mechanism is not secure due to the kernel-sharing property, it lacks a concrete and ...
A Systematic Study of Elastic Objects in Kernel Exploitation
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Recent research has proposed various methods to perform kernel exploitation and bypass kernel protection. For example, security researchers have demonstrated an exploitation method that utilizes the characteristic of elastic kernel objects to bypass ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
557
Total Downloads

Downloads (Last 12 months)485
Downloads (Last 6 weeks)94

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
Ruan BLiu JZhang CLiang Z(2024)KernJC: Automated Vulnerable Environment Generation for Linux Kernel VulnerabilitiesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678891(384-402)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678891

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents