Explore the resurgence of stack overflow vulnerabilities in the Linux kernel in this technical conference talk. Delve into an analysis of recent Linux CVEs involving kernel stack issues, understanding why exploitation is challenging without weakening certain security controls. Learn about the characteristics of an ideal vulnerability that could bypass current protections. Examine Nftables bugs involving NFT registers as a case study, discovering how they can be leveraged for KASLR leaks and controlled structure address acquisition. Investigate techniques to overcome SMEP/SMAP protections and expand payload space within limited register capacity. Gain insights into the softirq exit routine necessary to avoid stack guard checks and kernel panics. Conclude with a discussion on potential mitigation strategies, including the pros and cons of enabling CONFIG_STATIC_USERMODEHELPER, implementing pointer authentication, and the speaker's custom solution for per-softirq kernel stack randomization.
Overview
Syllabus
#HITB2023AMS #COMMSEC D2 - The Return Of Stack Overflows In The Linux Kernel - Davide Ornaghi
Taught by
Hack In The Box Security Conference