Claudio Migliorelli (IBM Research Europe - Zurich), Andrea Mambretti (IBM Research Europe - Zurich), Alessandro Sorniotti (IBM Research Europe - Zurich), Vittorio Zaccaria (Politecnico di Milano), Anil Kurmus (IBM Research Europe - Zurich)
Kernel memory allocators remain a critical attack surface, despite decades of research into memory corruption defenses. While recent mitigation strategies have diminished the effectiveness of conventional attack techniques, we show that robust cross-cache attacks are still feasible and pose a significant threat. In this paper, we introduce PCPLost, a cross-cache memory massaging technique that bypasses mainline mitigations by carefully using side channels to infer the kernel allocator's internal state. We demonstrate that vulnerabilities such as out-of-bounds (OOB) --- and, via pivoting, use-after-free (UAF) and double-free (DF) --- can be exploited reliably through a cross-cache attack, across all generic caches, even in the presence of noise. We validate the generality and robustness of our approach by exploiting 6 publicly disclosed CVEs by using PCPLost, and discuss possible mitigations. The significant reliability (over 90% in most cases) of our approach in obtaining a cross-cache layout suggests that current mitigation strategies fail to offer comprehensive protection against such attacks within the Linux kernel.