Skip to content

Linux

Linux Security Techniques

Synthetic Memory Protections: An update on ROP mitigations

Linux Kernel Defence Map

Features Presented by GRSecurity

  • HARDENED_USERCOPY: checks the memory copy using copy_from/to_user to avoid invalid memory copies that overflow the heap object or stack buffers
  • SLAB_FREELIST_HARDENED: obfuscates the freelist pointers for slab, making it hard for attackers to hijack the allocation
  • SLAB_FREELIST_RANDOM: randomizes the freelist order for new slab pages to mitigate heap overflows by reducing the predictability of the slab

AUTOSLAB

How AUTOSLAB Changes the Memory Unsafety Game

AUTOSLAB is an isolation-based approach where each generic allocation site (calling to k*alloc*) has its own dedicated memory caches.

It features:

  1. only two objects of the same type can be adjacent to each other
  2. isolating objects in different caches prevents the reclaim of the freed vulnerable object with a spray object that is different from the vulnerable one.

Weaknesses:

  1. It relies on manual effort to annotate the wrappers and inline them.
  2. Cross-cache attack may abuse AutoSLAB.

Performance: the kernel with AUTOSLAB enabled runs 0.08% slower than the one without AUTOSLAB.

Same-Type Object Reuse

Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse

POC

dangling file object

Linux file objects use a dedicated slab cache.