Subscribe

Safe-Linking: Making Linux exploitation harder

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 22 May 2020

Businesses and users alike are constantly on the lookout for easier ways to do things, and shortcuts that help us work faster and with less effort. Unfortunately, bad actors are no different, and are always hunting for existing vulnerabilities or weaknesses that can be exploited.

According to Check Point researchers, the US National Institute of Standards and Technology (NIST) maintains a list of unique software vulnerabilities in all the world’s software, past and present. By the end of last year, the list contained over 136 000 unique vulnerabilities, which means malefactors have the same number of possible ways to compromise software being used by companies across the globe. And while the vast majority of these vulnerabilities have had fixes released, some have been around for a long time, with no easy fix available.

A good example of this would be memory corruption attacks, which are often employed to exploit programs written in Linux, the most widely-used open source operating system in the world.

With this in mind, Check Point has created Safe-Linking, a security mechanism to protect the internal structure of the heap – or the portion of memory that is not set to a constant size before compilation and can be controlled dynamically by a programmer – from being tampered with.

Safe-Linking takes advantage of the randomness inherited from a security mechanism that is now heavily deployed in most modern operating systems, called Address-Space-Layout-Randomization (ASLR), which randomly selects a base address to which the program will be loaded, forcing the attacker to have to guess the correct memory addresses, or leak them back to it using an additional, highly specific vulnerability.

“Simply put, Safe-Linking removes the address data for the program, so the bad actor can no longer be sure where in the system’s memory it will be loaded – making it much harder for them to launch an exploit against the program,” the company adds.

The approach was pitched and successfully integrated into the most crucial system environments and core libraries in the Linux operating system. These libraries are the core building blocks for computers and the Internet, and being used by almost any Web site, application or device in existence today.

Linux programs are at the heart of millions of personal devices, including laptops and smartphones, as well as routers, IOT devices, smart TVs and many others. Moreover, they are used to build Web services for global banks, stock exchange platforms and major airlines.

Safe-Linking removes the address data for the program, so the bad actor can no longer be sure where in the system’s memory it will be loaded.

“For two decades, Linux programs have been vulnerable to attacks in which the hacker executes malicious code once the memory in a computer system is altered or modified, usually in areas where the design of the main memory management of the program is not robust,” says Checkpoint.

The company demonstrated this technique in February, illustrating how an attacker could exploit an IOT network to carry out attacks on conventional computer networks in homes, businesses or even smart cities. Researchers highlighted how vulnerabilities in Phillips Hue smart lightbulbs and control bridge enabled them to infiltrate networks by triggering a heap-based buffer overflow on the bridge software.

Safe-Linking had the potential to block several major exploits that Check Point has investigated over the years, that turned ‘broken’ software products to ‘unexploitable’ products. “In the case of our research into smart lightbulb vulnerabilities, this would have blocked the exploit and attack.”

While Safe-Linking is not a magic bullet that will stop all exploit attempts against modern-day heap implementations, the company says, it is another step in the right direction. “By forcing attackers to have a memory leak vulnerability before they can even start their exploit, we have raised the security bar and made exploitations harder to execute. This, in turn, helps to better protect users globally.”

Share