“While other kernel bugs and vulnerabilities have been examined and remedied, uninitialised-use bugs are not well studied, and to date, no practical defence mechanisms have been developed to protect against these attacks,” said researcher Kangjie Lu.
To demonstrate the security risk to the kernel, the team developed an approach they dubbed ‘targeted stack spraying’.
Along with a technique that occupies large portions of the memory to control the stack, said the university, the automated attack probes the stack to find weaknesses that user-mode programs can exploit to direct kernel code paths and leave attacker-controlled data on the kernel stack.
Ultimately, the goal of this attack is to reliably control the value of a specific uninitialised variable in the kernel space of a running program.
“Our research shows that utilising the targeted stack-spraying approach allows attackers to reliably control more than 91 percent of the Linux kernel stack, which, in combination with uninitialised-use vulnerabilities, suffices for a privilege escalation attack,” said Lu.
“Our mitigation approach leverages the fact that uninitialised-use attacks usually control an uninitialised pointer to achieve arbitrary read/write/execution,” said Lu. “By zero-initialising pointer-type fields that the compiler cannot prove are properly initialised before they are used, we can prevent an adversary from controlling these pointers.”
To limit any unnecessary performance overhead related to zero-initialising pointer-type fields, the team developed a way to checks whether a pointer field is properly initialised when it is used. Only uninitialised pointer fields require zero initialisation.
A paper titled ‘Unleashing use-before-initialization vulnerabilities in the Linux kernel using targeted stack spraying‘ was presented at the Network and Distributed System Security Symposium in California.