Implement Cross Language Attacks on Rust for Linux
- OS:
Ubuntu 20.04.6 LTS - Kernel Version:
5.15.0-88-generic - Arch:
x86_64 - QEMU Version:
7.0.0 - LLVM Version:
16.0.0
- OS:
Ubuntu 23.04 - Kernel Version:
rust for linux v6.3(rust for linux @ bc22545f38) - Arch:
x86_64
cp .config ./linux
cd linux
make LLVM=1 -j4# may take some time in the first time
# need root permission
bash debootstrap.shThe username and password should both be root
Base on Cross Language Attacks, there are several types of attack, e.g. Use after Free (UaF), Out-of-Bounds (OOB), and etc. The related POC in Rust for linux is under corresponding dir.
Generally, we consider a sinario that an attacker needs 3 pharse/step to manipulate a machine:
- Memory Corruption
- Inject Gadgets
- Control-Flow Hijack or Data-only Attack
Control-Flow Hijack aims to manipulate the execution flow of a program, one of the possible way is using ROP chain. Usually this kind of attack can be defended by ensuring CFI.
On the other hand, Data-only attack is to manipulate with data itself, For example, add a new malicious user/admin, therefore an attacker can use this new data to cachieve other vulnerbilities.
Each step missing may make the attacker harder to lauch an attack, or even impposible. Take memory safe language, e.g. Rust, as an example, such language is designed to prevent programs from memory vulanbility, so it is nearly impossible to achieve Memory Corruption step for attackers. (c) represent this situation. On the other hand, C is famous for its highly free properties, which leads to a lot of memory unsafe. In order to not being attack, we can use CFI in C program to avoid Control-Flow Hijack, this is stated in (b)
Everything seems well, however, it is more complicated in multi-language program. In such program, components written in different language would interact witt each other via Foreign Function Interface(FFI) or even other ways. This process is described in (d) as Language Transfer node. Therefore, if the attack flow follows from C to Rust, then the protection in different language is bypassed. To elaborated, we can construct and insert gadgets in C can corrupted the Rust memory, let Rust execute the gadget and get hijeck.