Researchers from the Graz University of Technology have discovered a way to convert a limited heap vulnerability in the Linux kernel into a malicious memory writes capability to demonstrate novel software cross-cache attacks.
While such vulnerabilities are known to be restricted in capabilities, allowing the corruption of only a few bytes in restricted allocator caches, the researchers exploited the memory reuse of the kernel allocator with a timing side-channel to improve their chances.
“We present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive,” the researchers said in a technical paper.
SLUBStick was shown to operate in multiple stages, capable of affecting newer Linux versions, including 5.9 and 6.2 (latest), and using as many as nine existing (different) vulnerabilities.
Unique, versatile cross-cache attack
SLUBStick makes use of the heap vulnerabilities, which refer to the flaws affecting the “heap” region of a process’ memory that is responsible for dynamic memory allocation, in Linux kernels to execute a cross-cache attack with a 99% success probability.
“Cross-cache attacks are impractical due to their low success rate of only 40%, with failure scenarios often resulting in a system crash,” researchers said. “SLUBStick exploits a timing side channel of the allocator to perform a cross-cache attack reliably.”
By employing a timing side channel while exploiting the heap vulnerabilities, which essentially allow attackers to manipulate the kernel’s memory allocation process, the researchers were able to pinpoint the exact moment of memory allocation and de-allocation, making the determination of frequently used caches extremely accurate.
These caches are then shown to be reallocated to allow attackers to manipulate the page table and read and write any memory allocation. SLUBStick can work with at least nine existing exploitations, including CVE-2023-21400, CVE-2023-3609, CVE-2022-32250, CVE-2022-29582, CVE-2022-27666, CVE-2022-2588, CVE-2022-0995, CVE-2021-4157, and CVE-2021-3492.
Effective with pre-requisites
The attack was found effective against all modern kernel defenses, including Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR).
“Our side-channel supported approach greatly enhances the reliability of cross-cache attacks from generic caches and makes them practical for exploitation,” researchers added. “Thus, it amplifies the effectiveness of exploitation methods employing cross-cache attacks.”
SLUBStick, similar to most side-channel attacks, requires local access with code execution privileges on the target machine and a heap vulnerability in the Linux kernel for memory read and write access.
More technical details of SLUBStick and its exploitability are provided within a dedicated GitHub repository and the capability is also expected to have a real-world demonstration at the Usenix Security event.