Cybersecurity researchers have shed light on a new Linux kernel exploitation technique called SLUBStick, which could be used to elevate a limited heap vulnerability to an arbitrary memory read/write primitive.
SLUBStick, How the New Linux Kernel Hacking Technique Works
“It initially exploits an allocator timing side channel to reliably perform a cross-cache attack,” a team of academics from Graz University of Technology wrote (the report is available via this PDF), and the experts then added: “Concretely, exploiting the side channel leakage brings the success rate above 99% for frequently used general-purpose caches.”
Memory security vulnerabilities that affect the Linux kernel have limited capabilities and are much more difficult to exploit due to security features such as supervisory mode access prevention (SMAP), kernel address space layout randomization (KASLR), and kernel control flow integrity (kCFI).
Fortunately, SLUBStick appears to have some limitations.
Although software cross-cache attacks were devised as a way to counter kernel hardening strategies such as coarse heap splitting, studies have shown that existing methods have only a 40% success rate.
SLUBStick has been demonstrated on Linux kernel versions 5.19 and 6.2 using nine security vulnerabilities (e.g., double free, use after free, and out-of-bounds write) discovered between 2021 and 2023, leading to unauthenticated root elevation and container escapes.
The three phases with which slubstick “perforates” the Linux kernel, bypassing permissions
The main idea behind the approach is to provide the ability to modify kernel data and obtain arbitrary memory read and write primitives in a way that reliably bypasses existing defenses such as KASLR.
However, for this to work, the threat model assumes that there is a heap vulnerability in the Linux kernel and that an unprivileged user has code execution capabilities.
“SLUBStick exploits newer systems, including versions 5.19 and 6.2, for a wide range of heap vulnerabilities,” the researchers said.
Linux, the myth of its “impenetrability” increasingly less true
Despite Linux’s reputation as a highly secure and nearly impenetrable operating system, techniques like SLUBStick demonstrate that this perception is increasingly far from reality.
SLUBStick is not in fact the first method discovered to “perforate” the kernel: over the years, several advanced exploitation techniques have emerged that have highlighted previously unconsidered vulnerabilities.
One of the major security issues on Linux is the lack of a standardized method of virus detection, which makes it extremely difficult for users to know if their systems have been compromised, and this small security flaw highlights the need for more robust solutions and greater awareness of emerging threats, especially as attack techniques become increasingly sophisticated.
If on Windows, for example, we have Windows Defender, there is no equivalent (at present) on Linux operating systems, even if Open Source projects like ClamAV come a little close (but are difficult to configure).
Recent vulnerabilities discovered on Linux
In recent times, several critical vulnerabilities have been discovered in the Linux kernel that highlight the need for greater attention to security. Some of these include:
Dirty Pipe (CVE-2022-0847): A vulnerability that allows unprivileged users to overwrite data in read-only files. Spectre and Meltdown: A family of vulnerabilities that exploit speculative processor execution to access sensitive data. StackRot (CVE-2023-3269): A vulnerability that allows escalation of privilege via improper stack management. BleedingTooth (CVE-2020-12351): A bug in the Bluetooth subsystem that allows remote code execution. Sequoia (CVE-2021-33909): A vulnerability that allows escalation of privilege via improper file system management.
These findings highlight that while Linux is generally considered secure, it is not immune to serious vulnerabilities that require timely attention and updates.