Linux
Linux Security Techniques
Synthetic Memory Protections: An update on ROP mitigations
Features Presented by GRSecurity
HARDENED_USERCOPY
: checks the memory copy using copy_from/to_user to avoid invalid memory copies that overflow the heap object or stack buffersSLAB_FREELIST_HARDENED
: obfuscates the freelist pointers for slab, making it hard for attackers to hijack the allocationSLAB_FREELIST_RANDOM
: randomizes the freelist order for new slab pages to mitigate heap overflows by reducing the predictability of the slab
AUTOSLAB
How AUTOSLAB Changes the Memory Unsafety Game
AUTOSLAB is an isolation-based approach where each generic allocation site (calling to k*alloc*
) has its own dedicated memory caches.
It features:
- only two objects of the same type can be adjacent to each other
- isolating objects in different caches prevents the reclaim of the freed vulnerable object with a spray object that is different from the vulnerable one.
Weaknesses:
- It relies on manual effort to annotate the wrappers and inline them.
- Cross-cache attack may abuse AutoSLAB.
Performance: the kernel with AUTOSLAB enabled runs 0.08% slower than the one without AUTOSLAB.
Same-Type Object Reuse
Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse
dangling file object
Linux file objects use a dedicated slab cache.