当前位置:首页 > 报告详情

跨缓存游戏:以更有效的方式赢得胜利.pdf

上传人: 鲁** 编号:615426 2025-03-03 93页 3.95MB

1、#BHASIA BlackHatEventsGame of Cross Cache:Game of Cross Cache:Lets win it in a more effective way!Lets win it in a more effective way!Le Wu From Baidu Security#BHASIA BlackHatEventsAbout me Le Wu,NVamous on Twitter Focus on Android/Linux vulnerability Dirty Pagetable A novel technique to rule the Li

2、nux Kernel 1 Blackhat USA,Europe,Asia1:https:/yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html#BHASIA BlackHatEventsAgenda Introduction to Cross-cache attack Challenges in Cross-cache attack Advancing Towards a More Effective Cross-cache Attack Exploit File UAF with Dirty Pagetable Summ

3、aryIntroduction to Cross-cache attackA Simplified Cross-cache Attack For UAFUAF(Object A or object B could be pages or other kinds of memory regions)Trigger UAF to release the victim object A;Reclaim the victim slab of victim object A to Page allocator;kmem_cache B reuse the pages of victim slab,and

4、 object A is reallocated as object B;Make use of corrupted object B to get ROOT;corrupt the object BOperations to victim object A;Cross-cache attack is getting popular:Original vulnerable object is not exploitable,especially the one allocated from a dedicated kmem_cacheTransform the unknown vulnerab

5、ility to well-known one to simplify the exploitationBuild data-only exploitation techniques to defeat growing mitigations like KASLR,PAN,CFI.MethodCross-cache FromCross-cache Toret2dir*direct mappingret2page*kernel allocated pageDrity Cred*struct credDirty Pagetable*user page table.Introduction to C

6、ross-cache attackWell,its known as an unstable technique.Introduction to Cross-cache attackCan we make it less unstable,or in other words,more efficient?Common workflow of Cross-cache attackStep0.Common knowledge for SLUB allocatorobjs_per_slab:number of objects in a single slaborder:order of pages

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要介绍了如何更有效地进行跨缓存攻击。首先,作者提出了两个挑战:如何在受限的分配原语下丢弃受害者的0级缓存,以及如何使3级缓存确定性地重用0级缓存。为了解决这两个问题,作者提出了一种新的优化工作流程,包括使用赛跑风格的缓存移动原语来丢弃受害者缓存,以及使用确定性的堆整形技术来使高阶缓存重用低阶缓存。此外,作者还介绍了如何将脏页表技术应用于三星设备,以利用文件UAF漏洞。总的来说,本文通过解决跨缓存攻击中的挑战,提高了攻击的效率和成功率。
如何有效解决跨缓存攻击中的挑战? 如何让高阶缓存确定性地复用低阶缓存? 如何将三星设备上的脏页表技术应用到攻击中?
客服
商务合作
小程序
服务号
折叠