The SLUBStick cross-cache attack has emerged as a groundbreaking method for exploiting vulnerabilities in the Linux kernel. Discovered by researchers from Graz University of Technology, this sophisticated technique affects Linux kernel versions 5.9 to 6.2 and enables attackers to gain arbitrary memory read-and-write capabilities.
With a success rate of 99% in converting restricted heap vulnerabilities into broad memory manipulation, SLUBStick represents a significant evolution in kernel exploitation techniques. Its ability to bypass advanced kernel defenses such as Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR) highlights its potent threat level.
Decoding the SLUBStick Cross-Cache Attack
The SLUBStick cross-cache attack exploits timing side-channel vulnerabilities in the Linux kernel’s SLUB memory allocator. It operates in several stages, from timing side-channel exploitation to controlling memory recycling and reclamation precisely.
Attackers monitor allocation and deallocation timings to predict and manipulate memory reuse. Once side-channel data is collected, SLUBStick forces the recycling of memory pages that have write capabilities by first freeing a writable memory object and then allocating new objects to reclaim the same slab page for sensitive object types.
This leads to a cross-cache attack where the reclaimed slab page is used to overwrite sensitive memory, turning a limited heap vulnerability into a full arbitrary read-and-write primitive. SLUBStick has been demonstrated to be effective across various Linux kernel versions and configurations.
Researchers validated its potency using synthetic and real-world vulnerabilities, including nine Common Vulnerabilities and Exposures (CVEs), showing its ability to escalate privileges and escape containers on both 32-bit and 64-bit systems. This versatility underscores SLUBStick’s significant impact on kernel security.
Despite modern kernel defenses such as SMEP, SMAP, and KASLR, SLUBStick remains effective. These defenses are intended to prevent unauthorized memory access and mitigate exploit attempts, but SLUBStick’s advanced approach to memory manipulation and timing attacks allows it to circumvent these protections. The attack’s success across various scenarios highlights its potential threat to Linux-based systems.
Presentation and Technical Analysis
SLUBStick will be detailed at the upcoming Usenix Security Symposium, with a technical paper already published. This paper provides an exhaustive analysis of the attack, including its execution and potential exploitation scenarios. The researchers explain how SLUBStick employs timing side-channel techniques, memory allocation patterns, and methods to overcome previous limitations in cross-cache attacks.
SLUBStick represents a significant threat to kernel security due to its ability to exploit limited heap vulnerabilities with high reliability. The attack’s success rate surpasses earlier techniques, making it a critical concern for systems utilizing Linux kernels. The threat model assumes that an attacker has unprivileged code execution and that the kernel incorporates all modern defense mechanisms, such as WˆX, KASLR, SMAP, and kernel control-flow integrity (kCFI). This highlights the ongoing challenge of protecting kernel memory in complex systems and the need for continuous improvements in kernel security measures.
SLUBStick’s technical approach to arbitrary memory read-and-write capabilities involves a multi-stage process. Initially, it exploits a heap vulnerability to acquire a Memory Write Primitive (MWP), which allows writing to memory locations previously freed.
SLUBStick then triggers the recycling of the slab’s memory chunk by deallocating all objects within it, with the MWP remaining valid and referring to the recycled memory. In the second stage, the attack reclaims this recycled memory chunk for use in page tables, crucial for translating user space addresses.
SLUBStick allocates page tables that point to the recycled memory, which stores important information such as page frame numbers and access permissions. The final stage involves using the MWP to overwrite memory referenced by the page table, enabling the attacker to alter page frame numbers and permissions.
This manipulation provides access to any physical page, including modifying kernel code or sensitive files like /etc/passwd. SLUBStick has demonstrated its ability to evade existing kernel defenses with remarkable success, achieving over 99% reliability for single-page-size chunks and up to 82% for multi-page-size chunks.
SLUBStick Addresses Several Technical Challenges
SLUBStick addresses the instability of cross-cache attacks by employing a timing side-channel attack on the SLUB allocator to reliably trigger memory recycling. By measuring allocation times, SLUBStick ensures precise control over when targeted memory chunks are recycled.
It converts kernel heap vulnerabilities, such as double-free or use-after-free, into a functional Memory Write Primitive (MWP) by managing dangling pointers and extending the time window for their use, thus overcoming Kernel Address Space Layout Randomization (KASLR) randomness.
SLUBStick’s approach includes grouping allocated objects by their slabs and using precise timing methods like the add_key syscall to ensure accurate recycling. Experimental validation shows that SLUBStick is effective, with high success rates for single-page-size chunks and reliable performance despite noise and interference. This technique marks a significant advancement in kernel exploitation, demonstrating its capacity to bypass modern defenses and escalate privileges.
The research highlights the need for enhanced kernel security measures to address such sophisticated threats and highlights SLUBStick’s role in driving ongoing improvements in safeguarding kernel memory.
