Smashing the Linux Heap

MIAMI BEACH–There has been a lot of discussion and research in the last decade on exploiting heap overflows in various platforms, especially Windows. But one researcher has found that there is a heap allocator in the Linux kernel that is, as he describes it, “beautifully exploitable.” Meet SLOB.

MIAMI BEACH–There has been a lot of discussion and research in the last decade on exploiting heap overflows in various platforms, especially Windows. But one researcher has found that there is a heap allocator in the Linux kernel that is, as he describes it, “beautifully exploitable.” Meet SLOB.

Dan Rosenberg, a security consultant at Virtual Security Research, does a lot of work on Linux kernel research and decided to take a hard look at the heap allocators in the operating system’s kernel. There are three main allocators: SLUB, SLAB and SLOB. But it was the last one that Rosenberg focused on, mainly because there hasn’t been as much research done on it. What he found was not pretty.

In a talk at the Infiltrate conference here, Rosenberg said that he’d found virtually nothing in the way of methods to mitigate exploit attempts on SLOB.

“There’s no sanity checks or exploit mitigations,” he said. “It’s a beautifully exploitable heap. They’ve done nothing to harden it to make it any harder.”

SLOB is mainly used in embedded systems, favored there because of its small footprint, Rosenberg said. Any given system will only have one allocator, and SLOB is used in Linux systems on many routers and switches and also in some firmware systems.
“Linux completely dominates the embedded space. That’s part of its appeal,” he said. “You find SLOB in these embedded systems because it doesn’t tend to perform very well in other situations.”

In his talk he presented several possible overflow scenarios that could be exploitable, ranging from the simple to the highly complex. He then showed exactly how an attacker could exploit each one of them.

The scenarios he went through included a situation in which the attacker has control of some of the contents of one to two bytes of the overflowed chunk all the way up to a situation in which he is faced with an off-by-one null byte. His techniques for exploiting the vulnerabilities resulted in him gaining full control of the system.

He did not reveal any specific vulnerabilities in the Linux kernel, but rather was looking for techniques that he could use to exploit existing vulnerabilities in a variety of different situations.

“I was more interested in techniques that would work in progressively more constrained situations,” Rosenberg said. “If you understand how the heap works, you can get it done.”

Rosenberg said that the lack of exploit mitigations could be due to just a lack of someone stepping up to take charge of the effort.

“There are never going to be exploit mitigations unless someone in the community writes them. Linux doesn’t have a Trustworthy Computing memo or anything,” he said. “It’s sort of an uphill battle when you’re dealing with so many platforms in so many high-performance environments. It’s going to be fought very hard.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.