Interp-flow Hijacking: Launching Non-control Data Attack via Hijacking eBPF Interpretation Flow

Qirui Liu, Wenbo Shen, Jinmeng Zhou, Zhuoruo Zhang, Jiayi Hu, Shukai Ni, Kangjie Lu, Rui Chang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

eBPF (extended Berkeley Packet Filter) is regarded as a secure alternative to kernel modules for enhancing kernel functionalities. As an emerging kernel subsystem, eBPF should not be exploited by kernel vulnerabilities to bypass established protection. Unfortunately, the exploitability of eBPF has not been fully studied so far. This paper investigates the exploitability of eBPF. Our study uncovers a previously unidentified security risk: eBPF bytecode lacks injection and hijack prevention, thus eBPF interpretation flow can be hijacked to execute malicious bytecode. To understand the risk, we propose Interp-flow Hijacking, a novel attack that hijacks the eBPF interpretation flow to circumvent kernel code and Control Flow Integrity (CFI) protections, thereby enabling arbitrary code execution within the kernel. To realize the attack, we propose a novel technique named Tailcall Trampoline for hijacking the interpretation flow without violating CFI. To evaluate the exploitability, we formulate CVE requirements and give techniques to pivot different types of CVEs. The evaluation of 16 real CVEs from different kernel subsystems shows that Interp-flow Hijacking can enhance all their capabilities in bypassing kernel protection. Finally, we design and implement a protection mechanism to safeguard against Interp-flow Hijacking. We are communicating with the Linux community to address the identified issues.

Original languageEnglish (US)
Title of host publicationComputer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings
EditorsJoaquin Garcia-Alfaro, Rafał Kozik, Michał Choraś, Sokratis Katsikas
PublisherSpringer Science and Business Media Deutschland GmbH
Pages194-214
Number of pages21
ISBN (Print)9783031708954
DOIs
StatePublished - 2024
Event29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland
Duration: Sep 16 2024Sep 20 2024

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14984 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference29th European Symposium on Research in Computer Security, ESORICS 2024
Country/TerritoryPoland
CityBydgoszcz
Period9/16/249/20/24

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

Keywords

  • Bug exploitation
  • Bypassing CFI
  • eBPF
  • Linux kernel

Fingerprint

Dive into the research topics of 'Interp-flow Hijacking: Launching Non-control Data Attack via Hijacking eBPF Interpretation Flow'. Together they form a unique fingerprint.

Cite this