Safe-Linking – fixing a 20-year-old problem to make Linux exploitation harder for threat actor

Let’s face it, we’re all looking for easier way to do things.  Short-cuts that help us get our work done faster and with less effort.  And hackers are no different.  To launch an attack against any software or system, hackers and threat actors will first look for an existing vulnerability or weakness that they can quickly work out how to exploit.

The US National Institute of Standards and Technology (NIST) maintains a list of unique software vulnerabilities in all the world’s software, past and present. At the end of 2019, that list contained over 136,000 unique vulnerabilities:  meaning that a hacker has over 136,000 possible ways to compromise almost any software that’s in use.  Of course, the vast majority of these vulnerabilities have fixes available for them.  But some vulnerabilities have been around for a long time, with no easy fix available.

A good example of this is memory corruption attacks, which are often used to try and exploit programs written in Linux, the most widely-used open source OS in the world.  Linux programs are the core building blocks for millions of personal computers, Android devices, laptops, internet routers, IoT products, smart TVs and more. They are also used to build web services for global banks, stock exchange platforms and major airlines.  For two decades, Linux programs have been vulnerable to these , attack in which the threat actor executes his malicious code once the memory in a computer system is altered or modified, usually in areas where the design of the main memory management of the program – known as ‘the heap’ – is not robust.

A recent example of this was revealed by Check Point Research in February this year, when we showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Researchers showed how vulnerabilities in the market-leading Philips Hue smart bulbs and bridge (CVE-2020-6007) enabled them to infiltrate networks by triggering a heap-based buffer overflow on the bridge software.

A lightbulb moment – Safe Linking puts security at the top of the heap

After concluding this research on smart lightbulb security, our researchers couldn’t stop thinking about the exploit they had just developed and mitigated (see the demonstration video). As they had been exploiting similar vulnerabilities in Linux for years, surely there must be a way to help the global community mitigate this popular exploit primitive?

Seeking to put an end to this long-standing problem, our researchers created a security mechanism to protect the heap’s internal structure from being tampered with, which they have called “Safe-Linking.”

Safe-Linking makes use of the randomness inherited from a security mechanism that is now heavily deployed in most modern operating systems, called Address-Space-Layout-Randomization (ASLR).  ASLR randomly picks a base address to which the program will be loaded, thus forcing the hacker to have to guess the correct memory addresses, or leak them back to it using an additional, highly specific vulnerability.

Put simply, Safe-Linking removes the address data for the program, so the hacker can no longer be sure where in the system’s memory it will be loaded – making it much harder for them to launch an exploit against the program.

This specific mitigation would have blocked several major exploits that we have investigated over the years, turning ‘broken’ software products to ‘unexploitable’ products. In the case of our research into smart lightbulb vulnerabilities, this would have blocked the exploit and attack.

Our Safe-Linking approach has been pitched and successfully integrated into the most crucial system environments and core libraries in the Linux operating system. These libraries are the core building blocks for computers and the internet, and being used by almost any website, application or device in existence today.

Final Note

Safe-Linking is not a magic bullet that will stop all exploit attempts against modern-day heap implementations. However, this is another step in the right direction:  by forcing attackers to have a memory leak vulnerability before they can even start their exploit, we have raised the security bar and made exploitations harder to execute.  This in turn helps to better protect users globally.

For more information, and a technical deep-dive into Safe-Linking, read all about it on our research blog.