logo
allArticlesConferencesPresentations

Exploiting Kernel Races through Taming Thread Interleaving

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses a new exploit technique called Explains that can exploit a previously unexploitable lace condition vulnerability found in the Linux kernel. The technique utilizes hardware's basic interrupt mechanism and is generally applicable regardless of corner configuration or specific situation.
  • Explains is a new exploit technique that can exploit a previously unexploitable lace condition vulnerability found in the Linux kernel
  • The vulnerability occurs if instruction A is executed before instruction B and instruction C is executed before instruction D
  • The non-inclusive lace condition makes it difficult to exploit the vulnerability using normal bursting
  • Explains solves the problem of non-inclusive lace condition and the lack of time to relocate
  • The technique utilizes hardware's basic interrupt mechanism and is generally applicable regardless of corner configuration or specific situation
The presentation demonstrates how the Explains technique can be used to exploit the vulnerability and gain loot permission by triggering the vulnerability, leaking the file pointer and credit pointer of the current process, and overwriting zero to the UID variable. The technique extends the time window by at least 15,000 cycles due to exp laces, allowing for the vulnerability to modify memory that should not be modified.

Abstract

A kernel race condition vulnerability is difficult to exploit, because thread interleaving is non-deterministic and cannot be controlled. Thus, conventional exploitation techniques against kernel races simply attempt to brute force, i.e., keep exploiting the race in hopes that the execution orders happen to be indeed racing. However, we observed that many kernel races cannot be exploited through brute forcing including three recent Linux kernel race vulnerabilities, because the chance to race is virtually zero.This presentation introduces a new kernel race condition exploitation technique. The key idea behind our new race exploitation technique is to tame the thread execution order based on the clear understanding of the kernel’s thread interleaving mechanism. With our new exploitation techniques, we demonstrate how three Linux kernel races can be successfully exploited within 10-100 seconds, all of which were not exploitable given in 24 hours through simple brute forcing.
Materials:
Slides
Tags:

Post a comment

Related work

Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache

Conference:  Black Hat USA 2022
Authors:
2022-08-11

ECMO: Rehost Embedded Linux Kernels via Peripheral Transplantation

Conference:  BlackHat USA 2021
Authors:
2021-11-11

Trace Me if You Can: Bypassing Linux Syscall Tracing

Conference:  Black Hat USA 2022
Authors:
2022-08-10

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities

Conference:  BlackHat USA 2018
Authors:
2018-08-09

Phantom Attack: Evading System Call Monitoring

Conference:  Defcon 29
Authors:
2021-08-01

Your Trash Kernel Bug, My Precious 0-day

Conference:  BlackHat USA 2021
Authors:
2021-11-10