Today I suggest another interesting paper from security.com entitled “A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator“. In this paper, Dan Rosenberg evaluates the implementation of the Linux kernel SLOB allocator to assess exploitability. He presents new techniques for attacking the SLOB allocator, whose exploitation has not been publicly described. These techniques will apply to exploitation scenar- ios that become progressively more constrained, starting with an arbitrary- length, arbitrary-contents heap overflow and concluding with an off-by-one NULL byte overflow.
The paper offers a nice background on Kernel Allocators, the following picture sums up the entire section
The paper follows on describing some different ways to compromise the linux kernel allocator, such as:
- Block Data Overwrite
- Free Pointer Overwrite
- Free Small Block Attack
- Block Growth Attack
- Little Endian Block Fragmentation Attack
- Big Endian Block Fragmentation Attack
The above pictures are taken from the original paper, each one represents the corresponding attack scenario. I decided to paste them here just to remember the main attack principles. Have a nice reading.