logo
allArticlesConferencesPresentations

Flexible Array Transformations and Array-bounds Checking

Conference:  Linux Security Summit Europe 2022

2022-09-15

Authors:   Gustavo A. R. Silva

Summary

The presentation discusses the importance of removing ambiguity from the kernel and adopting the use of flexible array members to improve security. The speaker shares their experience with transforming one-element arrays to flexible array members and the challenges they faced.
  • Flexible array members should be used instead of one-element arrays to prevent vulnerabilities
  • Transforming one-element arrays to flexible array members is time-consuming and requires careful verification
  • Sanity checking can be added to all trailing arrays through the use of a fortified main copy
  • Monitoring code check-ins can help prevent the introduction of one-element arrays
The speaker shares their experience with monitoring code check-ins and receiving email notifications when offending code is detected. They initially feared it would be noisy, but found it to be a useful tool over time.

Abstract

Having a dynamically-sized trailing array at the end of a structure is a useful code construct in the Linux kernel. However, the lack of proper bounds-checking on such objects is concerning and worth making an effort to remediate it. This presentation is about the different strategies we, in the Kernel Self-Protection Project, have been following along the last couple of years to transform trailing zero-length and one-element arrays into modern C99 flexible-array members, and the problems we have run into in the process. We will touch on how this work is closely related and helpful to the most recent efforts to hardening key APIs like memcpy() and globally enabling options like -Warray-bounds. We will explain how we've been addressing the particularly challenging one-element array into flexible-array member transformations in UAPI. Also, we'll see how the fact that compilers like GCC have historically treated all trailing arrays, no matter what their size, as flexible-sized arrays, is problematic and causes trouble when it comes to perform proper array-bounds checking on such objects, and how the introduction of a new option like -fstrict-flex-arrays could help.
Materials:
Slides
Tags:
linux kernel
self-protection
memcpy
bounds-checking

Post a comment

Related work

Hands Off and Putting SLAB/SLUB Feng Shui in a Blackbox

Conference:  BlackHat EU 2019
Authors:
2019-12-04

You Can Run, but You Can't Hide - Finding the Footprints of Hidden Shellcode

Conference:  Black Hat Asia 2023
Authors: John Uhlmann
2023-05-12

Finding Bugs Compiler Knows but Doesn't Tell You: Dissecting Undefined Behavior Optimizations in LLVM

Conference:  BlackHat EU 2020
Authors:
2020-12-09

Portable Data exFiltration: XSS for PDFs

Conference:  BlackHat EU 2020
Authors:
2020-12-10

Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime

Conference:  Defcon 27
Authors:
2019-08-01

Cautious: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe

Conference:  Black Hat USA 2022
Authors:
2022-08-11