Researchers at the Graz University of Technology in Austria have found a new cross-cache attack (PDF) that can bypass modern kernel defenses and provide arbitrary read and write access. The exploits involved affect Linux kernel versions 5.19 and 6.2.
The team has dubbed the attack technique SLUBStick. This attack vector takes advantage of memory reuse of the kernel allocator in a novel way, making it more reliable than most other cross-cache attacks. Whereas most cross-cache attacks have a success rate of just 40%, the researchers pushed SLUBStick to a 99% success rate for frequently used generic caches.
This success rate comes despite the modern security protections available for the Linux kernel. Recognizing the susceptibility of the Linux kernel to memory safety vulnerabilities, researchers and kernel developers have included defenses to inhibit the success of cross-cache attacks.
SLUBStick, however, is capable of bypassing Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR). The researchers note that existing kernel defenses promise to reduce SLUBStick’s threat, but none currently provide comprehensive protection. Therefore, the danger of exploitation via SLUBStick is still natural, even with kernel defenses in use.
SLUBStick takes advantage of a heap vulnerability in Linux’s memory management to gain elevated privileges, break out of sandbox environments in virtual machines, and gain root access to the host system. Even worse, the technique uses a side-channel exploit to observe memory usage and determine the exact moment of whether or not to reallocate a memory hash. This means that SLUBStick can predict and control memory reuse to increase its success rate.
For SLUBStick to work, attackers need local access to the attacked Linux system. The attack also requires the presence of a heap vulnerability in the Linux kernel, which has been found in both the 5.19 Linux kernel and the 6.2 kernel.
The researchers systematically analyzed the attack on the two Linux kernel versions, finding that SLUBStick was effective at executing on generic cache from kmalloc-08 through kmalloc-4096. Using a synthetic vulnerability and nine real-world CVEs, they tested the attack method to escalate privileges and gain root access.
SLUBStick was tested on both x86 and aarch64 virtual machines, and it is equally effective on Intel—and AMD-based processors and Arm CPUs. The team notes that the attack technique afforded by SLUBStick “greatly enhances the reliability of cross-cache attacks from generic caches and makes them practical for exploitation.” In other words, SLUBStick can make other attacks more successful and effective.
