||When learning Multi-Thread Programming, it is necessary for developers to notice whether there are competing resources between each other, aka a race condition. |
Double-Fetch is a special condition of race condition. As its name suggests, Double-Fetch means fetching a resource for two times. The purpose of first fetch usually checks for the legality of the resource, and then the second fetch is the usage. This is a common idea for software development.
In Linux, many of the system call implementations responsible for I/O control use this idea. The system call makes the OS kernel frequently reading the “SPECIFIC DATA” at user space for several times, which causes a big problem. Due to the multithreading design, the value of “SPECIFIC DATA” might be modified by a malicious thread between the several readings. This makes the system call to get the inconsistent value between two reads, and causes an unexpected result. In addition, these “SPECIFIC DATA” exist on user space, which means an attacker can control the process flow by changing these values. Thus, the attacker may get the sensitive data from system, launch a buffer overflow attack or even inject the shell code to get the control of whole system.
This paper presents DFGUARD, a system that uses the components for memory addressing in the Linux Kernel to perform operations of read/write permission. With this technique, DFGUARD can directly block these suspicious writing behaviors, thereby preventing the possibility of Double-Fetch vulnerability.
||Shan Lu, Soyeon Park, Eunsoo Seo and Yuanyuan Zhou, “Learning from Mistakes — A Comprehensive Study on Real World Concurrency Bug Characteristics,” 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2008. |
Fermin. J. Serna, swiat, “MS08-061 : The case of the kernel mode double-fetch,” 10/14/2008, https://blogs.technet.microsoft.com/srd/2008/10/14/ms08-061-the-case-of-the-kernel-mode-double-fetch/. [Accessed on: 07/02/2018].
Pengfei Wang, Jens Krinke, Kai Lu and Gen Li, Steve Dodier-Lazaro, “How Double-Fetch Situations Turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel,” Proceedings of the 26th USENIX Security Symposium (Security), 2017.
“Bug 166248 – CAN-2005-2490 sendmsg compat stack overflow,” 08/18/2005, https://bugzilla.redhat.com/show_bug.cgi?id=166248. [Accessed on: 07/04/2018].
Mateusz “j00ru” Jurczyk and Gynvael Coldwind, “Kernel double-fetch race condition exploitation on x86 – further thoughts,” 06/17/2013, https://j00ru.vexillium.org/2013/06/kernel-double-fetch-race-condition-exploitation-on-x86-further-thoughts/. [Accessed on 07/06/2018].
Souhail Hammou, “Exploiting Windows Drivers: Double-fetch Race Condition Vulnerability,” 07/12/2016, https://resources.infosecinstitute.com/exploiting-windows-drivers-double-fetch-race-condition-vulnerability/. [Accessed on 07/04/2018].
Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, Taesoo Kim, “Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels,” IEEE Symposium on Security and Privacy, 2018.
Michael Schwarz, Daniel Gruss, Moritz Lipp, Clementine Maurice, Thomas Schuster, Anders Fogh, Stefan Mangard, “Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features,” ACM ASIA CONFERENCE ON COMPUTER & COMMUNICATIONS SECURITY, 2018.
Pengfei Wang, “CVE-2016-6516-exploit,” 02/26/2018, https://github.com/wpengfei/CVE-2016-6516-exploit. [Accessed on: 07/05/2018].
Kaustubh R. Joshi, “Linux Memory Management,” 04/03/2013, http://www.cs.columbia.edu/~krj/os/lectures/L17-LinuxPaging.pdf. [Accessed on: 07/05/2018].