Linux Kernel Exploitation: Earning Its Pwnie A Vuln At A Time, presented at SOURCE Boston 2010

by Jon Oberheide,

Tags: Security Community Exploitation

Summary : As userspace applications and services become increasingly hardened against traditional memory corruption exploits, operating system kernels have become a source for abundant exploitation opportunities. In particular, the Linux kernel has recently suffered a bout of severe and high-profile vulnerabilities and drawn ire from the security community for it's mishandling of bugs with known security impact, resulting in a Pwnie award for "Lamest Vendor Response". Given the importance the Linux operating system plays in many enterprise environments, it is necessary to understand the strengths and weaknesses of its kernel's security. In this presentation, we'll explore these strengths and weaknesses by diving deep into the exploitation of vulnerabilities in the Linux kernel. Using real-world vulnerabilities and exploits, we'll detail the traditional classes of kernel vulnerabilities such as control flow hijacking (via stack smashing and SLAB/SLUB/SLOB allocator corruption), invalid userland memory accesses (including NULL pointer dereferences), and information leakage. In addition to traditional bug classes, we'll cover the semantic vulnerabilities inherent in complex operating systems that require deep knowledge of kernel internals to identify and exploit subtle conditions (e.g. desynchronization in the VM subsystem), some of which have previously thought to be unexploitable. We'll also explore the attack surface of the Linux kernel and enumerate the most common vulnerability entry points using historical data. Lastly, we'll release several tools assisting vulndev/auditing and discuss the effectiveness of deployed countermeasures and best current practices for securing the Linux kernel.