Ziyi Guo, Dang K Le, and Zhenpeng Lin, Northwestern University; Kyle Zeng, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, and Adam Doupé, Arizona State University; Xinyu Xing, Northwestern University
Recently, a novel method known as Page Spray emerges, focusing on page-level exploitation for kernel vulnerabilities. Despite the advantages it offers in terms of exploitability, stability, and compatibility, comprehensive research on Page Spray remains scarce. Questions regarding its root causes, exploitation model, comparative benefits over other exploitation techniques, and possible mitigation strategies have largely remained unanswered. In this paper, we conduct a systematic investigation into Page Spray, providing an in-depth understanding of this exploitation technique. We introduce a comprehensive exploit model termed the DirtyPage model, elucidating its fundamental principles. Additionally, we conduct a thorough analysis of the root causes underlying Page Spray occurrences within the Linux Kernel. We design an analyzer based on the Page Spray analysis model to identify Page Spray callsites. Subsequently, we evaluate the stability, exploitability, and compatibility of Page Spray through meticulously designed experiments. Finally, we propose mitigation principles for addressing Page Spray and introduce our own lightweight mitigation approach. This research aims to assist security researchers and developers in gaining insights into Page Spray, ultimately enhancing our collective understanding of this emerging exploitation technique and making improvements to community.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Ziyi Guo and Dang K Le and Zhenpeng Lin and Kyle Zeng and Ruoyu Wang and Tiffany Bao and Yan Shoshitaishvili and Adam Doup{\'e} and Xinyu Xing},
title = {Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {1189--1206},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/guo-ziyi},
publisher = {USENIX Association},
month = aug
}