Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems

Abstract: The widespread deployment of control-flow integrity has propelled non-control data attacks into the mainstream. In the domain of OS kernel exploits, by corrupting critical non-control data, local attackers can directly gain root access or privilege escalation without hijacking the control flow. As a result, OS kernels have been restricting the availability of such non-control data. This forces attackers to continue to search for more exploitable non-control data in OS kernels. However, discovering unknown non-control data can be daunting because they are often tied heavily to semantics and lack universal patterns. We make two contributions in this paper: (1) discover critical non-control objects in the file subsystem and (2) analyze their exploitability. This work represents the first study, with minimal domain knowledge, to semi-automatically discover and evaluate exploitable non-control data within the file subsystem of the Linux kernel. Our solution utilizes a custom analysis and testing framework that statically and dynamically identifies promising candidate objects. Furthermore, we categorize these discovered objects into types that are suitable for various exploit strategies, including a novel strategy necessary to overcome the defense that isolates many of these objects. These objects have the advantage of being exploitable without requiring KASLR, thus making the exploits simpler and more reliable. We use 18 real-world CVEs to evaluate the exploitability of the file system objects using various exploit strategies. We develop 10 end-to-end exploits using a subset of CVEs against the kernel with all state-of-the-art mitigations enabled.

• The paper identifies critical file system key objects using combined static and dynamic analyses to map vulnerabilities in Linux kernels.
• It develops comprehensive exploit strategies, including a novel 'Page UAF Strategy', to bypass KASLR constraints and escalate privileges.
• The evaluation on 26 real-world CVEs reveals 18 exploitable vulnerabilities, highlighting significant security gaps in current kernel defenses.

Overview of "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"

The paper entitled "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems" investigates the emerging threat of data-only attacks in the context of the Linux Operating System kernel. As advancements in control-flow integrity (CFI) have significantly reduced the viability of traditional control-flow hijacking techniques, attackers are increasingly focusing on non-control data to achieve privilege escalation and root access.

Contributions

The authors make two principal contributions:

1. Identification of File System Key Objects (FSKOs): The study undertakes a semi-automatic exploration of Linux kernel file subsystems, uncovering critical non-control data objects. The identification process combines static and dynamic analysis, resulting in a comprehensive mapping of kernel objects associated with file subsystems that can be exploited for privilege escalation.
2. Development and Testing of Exploit Strategies: The paper categorizes the discovered objects into types that can be exploited via different strategies. A significant focus is given to strategies that bypass the constraints imposed by kernel address space layout randomization (KASLR), thus ensuring simpler and more reliable exploitation methods.

Methodology

Anchor Object Discovery

The authors begin by defining 'anchor objects,' non-control data elements within the file subsystem that are critical for privilege escalation. These anchors serve as starting points for broader identification and analysis. The study uses domain knowledge to focus explicitly on data related to file metadata, file content, and file operations, as these areas are inherently tied to file system privileges.

Cross-Layer Object Discovery

The static analysis component tracks the propagation of critical data fields identified in anchor objects. This tracking encompasses both forward and backward dependencies, identifying previously unknown objects across layers of the Linux file system. This rigorous analysis is aimed at expanding the set of potential targets that can be exploited, thus increasing the efficacy of data-only attacks.

Dynamic Verification

Dynamic verification validates the exploitability of identified objects. This stage involves manipulating runtime values and observing their impact on system privileges. Successful manipulation that leads to privilege escalation confirms the object's suitability for exploitation.

Results and Analysis

The paper identifies and successfully categorizes a multitude of FSKOs from the Linux kernel's file subsystem. Key findings indicate that many of these objects can be exploited even without bypassing KASLR, thus accommodating vulnerabilities with various write capabilities.

One of the novel contributions is the introduction of a 'Page UAF Strategy,' which leverages page-level use-after-free vulnerabilities to enable broader exploitation. This strategy enhances the attacker's ability to convert standard vulnerabilities into comprehensive exploit capabilities without relying on cross-cache strategies or explicit information leaks.

Evaluation and Implications

The evaluation of 26 real-world CVEs shows that 18 are exploitable using the identified FSKOs with various strategies. This validation underscores the practical implications of the research, highlighting potential gaps in current OS kernel defenses against non-control data attacks.

Conclusion

This research extends the frontier of understanding regarding non-control data threats, emphasizing the need for OS developers and security professionals to revisit kernel defenses. The identification of novel FSKOs that do not necessitate KASLR circumvention suggests a shifting landscape where non-control data elements play a central role in exploit development.

Such insights have profound implications for the development of future security protocols and the theoretical understanding of OS vulnerabilities. As operating systems evolve, vigilant tracking and protection of non-control data will become increasingly critical to maintaining secure system operations.