Search Icon
2027 Submissions

Cross-Cache Attacks for the Linux Kernel via PCP Massaging

Claudio Migliorelli (IBM Research Europe - Zurich), Andrea Mambretti (IBM Research Europe - Zurich), Alessandro Sorniotti (IBM Research Europe - Zurich), Vittorio Zaccaria (Politecnico di Milano), Anil Kurmus (IBM Research Europe - Zurich)

Kernel memory allocators remain a critical attack surface, despite decades of research into memory corruption defenses. While recent mitigation strategies have diminished the effectiveness of conventional attack techniques, we show that robust cross-cache attacks are still feasible and pose a significant threat. In this paper, we introduce PCPLOST, a cross-cache memory massaging technique that bypasses mainline mitigations by carefully using side channels to infer the kernel allocator’s internal state. We demonstrate that vulnerabilities such as out-of-bounds (OOB) — and, via pivoting, use-after-free (UAF) and double-free (DF) — can be exploited reliably through a cross-cache attack, across all generic caches, even in the presence of noise. We validate the generality and robustness of our approach by exploiting 6 publicly disclosed CVEs by using PCPLOST, and discuss possible mitigations. The significant reliability (over 90% in most cases) of our approach in obtaining a cross-cache layout suggests that current mitigation strategies fail to offer comprehensive protection against such attacks within the Linux kernel.

Paper
Slides
Video

View More Papers

BunnyFinder: Finding Incentive Flaws for Ethereum Consensus

Rujia Li (Tsinghua University and State Key Laboratory of Cryptography and Digital Economy Security), Mingfei Zhang (Shandong University), Xueqian Lu (Independent Reseacher), Wenbo Xu (Blockchain Platform Division, Ant Group), Ying Yan (Blockchain Platform Division, Ant Group), Sisi Duan (Tsinghua University, Zhongguancun Laboratory, Shandong Institute of Blockchains and State Key Laboratory of Cryptography and Digital Economy…

Read More

Know Me by My Pulse: Toward Practical Continuous Authentication...

Wei Shao (University of California, Davis), Zequan Liang (University of California Davis), Ruoyu Zhang (University of California, Davis), Ruijie Fang (University of California, Davis), Ning Miao (University of California, Davis), Ehsan Kourkchi (University of California - Davis), Setareh Rafatirad (University of California, Davis), Houman Homayoun (University of California Davis), Chongzhou Fang (Rochester Institute of Technology)

Read More

AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks

Xin'an Zhou (University of California, Riverside), Juefei Pu (University of California, Riverside), Zhutian Liu (University of California, Riverside), Zhiyun Qian (University of California, Riverside), Zhaowei Tan (University of California, Riverside), Srikanth V. Krishnamurthy (University of California, Riverside), Mathy Vanhoef (DistriNet, KU Leuven)

Read More