Advertisement

Randomization Can’t Stop BPF JIT Spray

  • Elena Reshetova
  • Filippo Bonazzi
  • N. Asokan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10394)

Abstract

The Linux kernel Berkeley Packet Filter (BPF) and its Just-In-Time (JIT) compiler are actively used in various pieces of networking equipment where filtering speed is especially important. In 2012, the Linux BPF/JIT compiler was shown to be vulnerable to a JIT spray attack; fixes were quickly merged into the Linux kernel in order to stop the attack. In this paper we show two modifications of the original attack which still succeed on a modern 4.4 Linux kernel, and demonstrate that JIT spray is still a major problem for the Linux BPF/JIT compiler. This work helped to make the case for further and proper countermeasures to the attack, which have then been merged into the 4.7 Linux kernel.

Keywords

Network security Berkeley Packet Filter JIT spray 

Notes

Acknowledgments

The authors would like to thank Daniel Borkmann for his helpful discussions about BPF/JIT, and his readiness and enthusiasms to make it more secure.

References

  1. 1.
    A detailed description of the Data Execution Prevention (DEP) feature (2016). support.microsoft.com/en-us/kb/875352
  2. 2.
    Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual (2016). www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
  3. 3.
    SECure COMPuting with filters (2016). www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
  4. 4.
    Athanasakis, M., et al.: The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines. In: NDSS (2015)Google Scholar
  5. 5.
    Bania, P.: JIT spraying and mitigations. arXiv preprint (2010). arXiv:1009.1038
  6. 6.
    Blazakis, D.: Interpreter Exploitation: Pointer Inference and JIT Spraying (2016). www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf
  7. 7.
    Borkmann, D.: On getting tc classifier fully programmable with cls_bpf (2016). www.netdevconf.org/1.1/proceedings/papers/On-getting-tc-classifier-fully-programmable-with-cls-bpf.pdf
  8. 8.
    Chen, P., Fang, Y., Mao, B., Xie, L.: JITDefender: a defense against JIT spraying attacks. In: IFIP, pp. 142–153 (2011)Google Scholar
  9. 9.
    Cook, C.: Status of the Kernel Self Protection Project (2016). outflux.net/slides/2016/lss/kspp.pdf
  10. 10.
    Corbet, J.: A JIT for packet filters (2012). lwn.net/Articles/437981
  11. 11.
    Corbet, J.: The kernel connection multiplexer (2015). lwn.net/Articles/657999/
  12. 12.
    Edge, J.: “Strong” stack protection for GCC (2014). lwn.net/Articles/584225/
  13. 13.
    Gorman, M.: Understanding the Linux virtual memory manager (2004)Google Scholar
  14. 14.
    Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: CCS, pp. 993–1004 (2013)Google Scholar
  15. 15.
    Jang, Y., Lee, S., Ki, T.: Breaking Kernel Address Space Layout Randomization with Intel TSX. In: CCS, pp. 380–392 (2016)Google Scholar
  16. 16.
    Jangda, A., Mishra, M., Baudry, B.: libmask: protecting browser JIT engines from the devil in the constants. In: PST (2016)Google Scholar
  17. 17.
    McAllister, K.: Attacking hardened Linux systems with kernel JIT spraying (2012). mainisusuallyafunction.blogspot.de/2012/11/attacking-hardened-linux-systems-with.html
  18. 18.
    McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user-level packet capture. In: USENIX Winter, vol. 46 (1993)Google Scholar
  19. 19.
    Mogul, J.: Efficient use of workstations for passive monitoring of local area networks, vol. 20. ACM (1990)Google Scholar
  20. 20.
    Mogul, J., Rashid, R., Accetta, M.: The packer filter: an efficient mechanism for user-level network code, vol. 21. ACM (1987)Google Scholar
  21. 21.
    Schulist, J., et al.: Linux Socket Filtering aka Berkeley Packet Filter (BPF) (2016). www.kernel.org/doc/Documentation/networking/filter.txt
  22. 22.
    Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and Protecting Dynamic Code Generation. In: NDSS (2015)Google Scholar
  23. 23.
    Starovoitov, A.: Tracing: attach eBPF programs to kprobes (2015). lwn.net/Articles/636976/
  24. 24.
    PaX Team: PaX address space layout randomization (ASLR) (2003)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Intel OTCEspooFinland
  2. 2.Aalto UniversityHelsinkiFinland
  3. 3.University of HelsinkiHelsinkiFinland

Personalised recommendations