Cybersecurity researchers have uncovered a new Linux kernel exploitation technique known as SLUBStick, which can be used to escalate a limited heap vulnerability to an arbitrary memory read-and-write primitive.
“Initially, it exploits a timing side-channel of the allocator to perform a cross-cache attack reliably,” a group of academics from the Graz University of Technology explained [PDF]. “By exploiting the side-channel leakage, the success rate for frequently used generic caches exceeds 99%.”
Memory safety vulnerabilities in the Linux kernel have limited capabilities and are more difficult to exploit due to security features like Supervisor Mode Access Prevention (SMAP), Kernel address space layout randomization (KASLR), and kernel control flow integrity (kCFI).
While software cross-cache attacks have been developed to bypass kernel hardening strategies such as coarse-grained heap separation, current methods have a success rate of only 40%.
SLUBStick has been tested on versions 5.19 and 6.2 of the Linux kernel using nine security vulnerabilities discovered between 2021 and 2023, leading to privilege escalation to root without authentication and container escapes.
The main concept behind the approach is to allow the modification of kernel data and obtain an arbitrary memory read-and-write primitive that can bypass existing defenses like KASLR reliably.
However, for this to be effective, the threat model assumes the presence of a heap vulnerability in the Linux kernel and that an unprivileged user has code execution capabilities.
“SLUBStick targets more recent systems, including v5.19 and v6.2, for various heap vulnerabilities,” the researchers noted.
