跨缓存游戏：以更有效的方式赢得胜利.pdf

1、#BHASIA BlackHatEventsGame of Cross Cache:Game of Cross Cache:Lets win it in a more effective way!Lets win it in a more effective way!Le Wu From Baidu Security#BHASIA BlackHatEventsAbout me Le Wu,NVamous on Twitter Focus on Android/Linux vulnerability Dirty Pagetable A novel technique to rule the Li

2、nux Kernel 1 Blackhat USA,Europe,Asia1:https:/yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html#BHASIA BlackHatEventsAgenda Introduction to Cross-cache attack Challenges in Cross-cache attack Advancing Towards a More Effective Cross-cache Attack Exploit File UAF with Dirty Pagetable Summ

3、aryIntroduction to Cross-cache attackA Simplified Cross-cache Attack For UAFUAF(Object A or object B could be pages or other kinds of memory regions)Trigger UAF to release the victim object A;Reclaim the victim slab of victim object A to Page allocator;kmem_cache B reuse the pages of victim slab,and

4、 object A is reallocated as object B;Make use of corrupted object B to get ROOT;corrupt the object BOperations to victim object A;Cross-cache attack is getting popular:Original vulnerable object is not exploitable,especially the one allocated from a dedicated kmem_cacheTransform the unknown vulnerab

5、ility to well-known one to simplify the exploitationBuild data-only exploitation techniques to defeat growing mitigations like KASLR,PAN,CFI.MethodCross-cache FromCross-cache Toret2dir*direct mappingret2page*kernel allocated pageDrity Cred*struct credDirty Pagetable*user page table.Introduction to C

6、ross-cache attackWell,its known as an unstable technique.Introduction to Cross-cache attackCan we make it less unstable,or in other words,more efficient?Common workflow of Cross-cache attackStep0.Common knowledge for SLUB allocatorobjs_per_slab:number of objects in a single slaborder:order of pages