Abstract
eBPF (extended Berkeley Packet Filter) is regarded as a secure alternative to kernel modules for enhancing kernel functionalities. As an emerging kernel subsystem, eBPF should not be exploited by kernel vulnerabilities to bypass established protection. Unfortunately, the exploitability of eBPF has not been fully studied so far.
This paper investigates the exploitability of eBPF. Our study uncovers a previously unidentified security risk: eBPF bytecode lacks injection and hijack prevention, thus eBPF interpretation flow can be hijacked to execute malicious bytecode. To understand the risk, we propose Interp-flow Hijacking, a novel attack that hijacks the eBPF interpretation flow to circumvent kernel code and Control Flow Integrity (CFI) protections, thereby enabling arbitrary code execution within the kernel. To realize the attack, we propose a novel technique named Tailcall Trampoline for hijacking the interpretation flow without violating CFI.
To evaluate the exploitability, we formulate CVE requirements and give techniques to pivot different types of CVEs. The evaluation of 16 real CVEs from different kernel subsystems shows that Interp-flow Hijacking can enhance all their capabilities in bypassing kernel protection. Finally, we design and implement a protection mechanism to safeguard against Interp-flow Hijacking. We are communicating with the Linux community to address the identified issues.
This work is partially supported by the National Key R&D Program of China (No. 2022YFE0113200) and the Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (Grant No. TD2019001).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)
Azad, B.: Project zero: An ios hacker tries android (2020). https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html
Calavera, D., Fontana, L.: Linux Observability with BPF: Advanced Programming for Performance Analysis and Networking. O’Reilly Media (2019)
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 161–176 (2015)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX security symposium, vol. 5, p. 146 (2005)
Cheng, L., et al.: Exploitation techniques for data-oriented attacks with existing and potential defense approaches. ACM Trans. Privacy Secur. (TOPS) 24(4), 1–36 (2021)
chompie1337. chompie1337/linux_lpe_io_uring_cve-2021-41073 (2022). https://github.com/chompie1337/Linux_LPE_io_uring_CVE-2021-41073
Corbet, J.: Supervisor mode access prevention [lwn.net] (2012). https://lwn.net/Articles/517475/
Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: Practical mitigation of data-only attacks against page tables. In: NDSS, Pt-rand (2017)
Dileo, J.: Evil ebpf in-depth: Practical abuses of an in-kernel bytecode runtime. https://defcon.org/html/defcon-27/dc-27-speakers.html#Dileo (2019)
Dileo, J.: Evil ebpf: Practical abuses of an in-kernel bytecode runtime (2019)
Edge, J.: Control-flow integrity for the kernel [lwn.net] (2020). https://lwn.net/Articles/810077/
Frassetto, T., Gens, D., Liebchen, C., Sadeghi, A.-R.: Jitguard: hardening just-in-time compilers with sgx. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2405–2419 (2017)
Gershuni, E., et al.: Simple and precise static analysis of untrusted linux kernel extensions. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 1069–1084 (2019)
Google. Kernel control flow integrity (2022). https://source.android.com/docs/security/test/kcfi
Google. Buzzer - an ebpf fuzzer toolchain (2023). https://github.com/google/buzzer
Fournier, S.A.G., Baubeau, S.: ebpf, i thought we were friends! (2021). https://defcon.org/html/defcon-29/dc-29-speakers.html#fournier
Fournier, S.A.G., Baubeau, S.:. With friends like ebpf, who needs enemies? (2021). https://www.blackhat.com/us-21/briefings/schedule/#with-friends-like-ebpf-who-needs-enemies-23619
Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 177–192 (2015)
Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: On the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)
Jin, D., Atlidakis, V., Kemerlis, V.P.: \(\{\)EPF\(\}\): Evil packet filter. In: 2023 USENIX Annual Technical Conference (USENIX ATC 23), pp. 735–751 (2023)
Jurczyk, M., Coldwind, G.: Smep: what is it, and how to beat it on windows (2011). https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows
Lin, Z., Wu, Y., Xing, X.: Dirtycred: escalating privilege in linux kernel. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 1963–1976 (2022)
Lu, H., Wang, S., Wu, Y., He, W., Zhang, F.: Moat: towards safe bpf kernel extension. arXiv preprint arXiv:2301.13421 (2023)
Luke, X.N., Wang, E., Torlak: A proof-carrying approach to building correct and flexible in-kernel verifiers (2021). https://homes.cs.washington.edu/~lukenels/slides/2021-09-23-lpc21.pdf
Miano, S., Bertrone, M., Risso, E., Tumolo, M., Bernal, M.V.: Creating complex network services with ebpf: experience and lessons learned. In: 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR), pp. 1–8 (2018)
CVE MITRE. Cve - cve-2021-29154 (2021). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
CVE MITRE. Cve - cve-2021-3490 (2021). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3490
Nelson, L., Van Geffen, J., Torlak, E., Wang, X.: Specification and verification in the field: applying formal methods to BPF just-in-time compilers in the Linux kernel. In: Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation, pp. 41–61 (2020)
PatH. Warping reality - creating and countering the next generation of Linux rootkits using ebpf (2021). https://defcon.org/html/defcon-29/dc-29-speakers.html#path
Starovoitov, A.: [patch v7 bpf-next 0/3]. https://lore.kernel.org/bpf/6f56ba3e-144f-29be-c35d-0506fe16830f@iogearbox.net/T/
Sysdig. Threat detection built on falco (2016). https://sysdig.com/opensource/falco/
Sysdig. Prometheus (2023). https://sysdig.com/opensource/prometheus/
Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121–141. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_7
Vishwanathan, H., Shachnai, M., Narayana, S., Nagarakatte, S.: Sound, precise, and fast abstract interpretation with tristate numbers. In: 2022 IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pp. 254–265. IEEE (2022)
Wang, X., Lazar, D., Zeldovich, N., Chlipala, A., Tatlock, Z.: Jitk: a trustworthy in-kernel interpreter infrastructure. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), pp. 33–47 (2014)
Wu, W., Chen, Y., Xing, X., Zou, W.: Kepler: facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In: USENIX Security Symposium, pp. 1187–1204 (2019)
Xingyu, J., Neal, R.: The art of exploiting uaf by ret2bpf in android kernel (2021). https://www.blackhat.com/eu-21/briefings/schedule/#the-art-of-exploiting-uaf-by-retbpf-in-android-kernel-24544
Zhou, J., et al.: Beyond control: exploring novel file system objects for data-only attacks on linux systems (2024). arXiv preprint arXiv:2401.17618
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Analysis Results
We identify 39 exploitable interp-flow data (in Linux 6.1.33), as detailed in Table 4. Some interp-flow data’s size can be determined by the user. Read-only interp-flow data are not listed since they cannot be corrupted by memory bugs.
We further analyze the exploitability of all interp-flow data manually and find that most interp-flow data are related to eBPF hooking. These data cannot be exploited without violating CFI, as discussed in Sect. 4.2. Among other data, bpf_array is the perfect target for interp-flow hijacking, as presented in §4.3.
Arbitrary kernel code execution primitive.
B Arbitrary Kernel Code Execution
We construct arbitrary kernel code execution based on the key observation that the eBPF interpreter handles JMP_CALL (e.g., calling eBPF helper functions) by doing a PC-relative jumping. The interpreter first extracts the offset from eBPF bytecode instruction insn and adds it to __bpf_call_base to get the target address. Next, the interpreter jumps to the target address with at most five parameters prepared in BPF_R1-R5. The possible target addresses can be any eBPF helper functions and other eBPF programs that are too versatile to enforce the CFI checks.
Therefore, we propose to exploit the JMP_CALL to realize arbitrary kernel code execution. The bytecode of the primitive is shown in Fig. 8. Lines 1-4 set up the parameters, and Line 6 triggers the JMP_CALL call, which jumps to ___bpf_call_base+FUNC_OFFSET. Note that the user totally controls the FUNC_OFFSET. Moreover, it is the offset value rather than the runtime address. One can get it from static kernel compilation, thus bypassing kernel ASLR. Besides, FUNC_OFFSET is 32-bit, supporting ±2 GB relative addressing, which is much larger than the kernel text size (less than 100 MB), so arbitrary kernel code execution is achieved.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, Q. et al. (2024). Interp-flow Hijacking: Launching Non-control Data Attack via Hijacking eBPF Interpretation Flow. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14984. Springer, Cham. https://doi.org/10.1007/978-3-031-70896-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-70896-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-70895-4
Online ISBN: 978-3-031-70896-1
eBook Packages: Computer ScienceComputer Science (R0)