Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

grsecurity has a Linux kernel with a bunch of extra security protections in it. In this post, they detail a protection they created that was inspired from a real bug they found within the Nitro Enclaves driver via bad error handling.

The authors found a bug in the kernel driver resulted in a stale file pointer being in the processes file descriptor table. If a reallocation of the file object happened then this dangling reference would have allowed for sensitive data to be viewed, such as /etc/shadow.

What's interesting about this bug is that this was immune to all other mitigations in the kernel, including the ones added by grsecurity. Type confusion isn't required, ASLR leaks or anything else. All we need is to get lucky with the file pointer and we're good to go. In essence, we have a same-type, same-address use after free bug.

The authors chose to add an extra field to the struct file type that can be three values. During the getting and setting of the pointer data, these values are checked for validity. This isn't enough to completely kill the bug class altogether though from the reuse of a dangling pointer, since the updating may make the pointer valid once again.

To fix this, they added a layer of randomness to it. Reallocated objects will use a different memory address now. This makes the dangling pointer not point to the beginning of the reallocated object. Since the magic value cannot be found, the validation fails. This only works 90% of the time though. They found another occurrence of this vulnerability class within the vmwgfx driver. Once they triggered it, the check found the invalid FILE pointer. Pretty neat detection of the vulnerability.

This helps for the FILE object but what about the other types? The struct cred reuse can be a horrifying vulnerability class that they decided to mitigate as well. They added a canary to the structure but didn't want to fix all accesses of it. So, they added a GCC compiler plugin to do this for them automatically! This was tested with a known vulnerability to see if it worked as well.

Overall, this is an interesting post into the world of kernel security and mitigations. Good explanations and walk through of various mitgiations.