| Metric | Fast Path | Slow Path | Ratio |
|---|---|---|---|
| Min Latency | ~50 ns | ~5,000 ns | 100x |
| Avg Latency | ~80 ns | ~8,500 ns | 106x |
| p99 Latency | ~150 ns | ~15,000 ns | 100x |
Exploitable timing side-channel with >99% distinguishability
Features β’ Installation β’ Usage β’ Technical Details β’ Results β’ References
This proof-of-concept demonstrates the SLUBSTICK exploitation technique, which leverages race conditions between the Linux kernel's SLUB allocator per-CPU freelists and the buddy allocator fallback path. The technique has been used in real-world kernel exploits including:
- CVE-2021-22555 - Netfilter heap overflow combined with SLUBSTICK
- CVE-2022-29582 - io_uring use-after-free with cross-cache attack
β οΈ DISCLAIMER: This code is for educational and security research purposes only. Unauthorized use against systems you don't own is illegal and unethical.
|
|
# Required tools
sudo apt update
sudo apt install build-essential gcc make git
# Optional: For better timing accuracy
sudo apt install linux-tools-common linux-tools-generic# Clone the repository
git clone https://github.com/shadowgun-cpu/Poc-SLUBSTICK
cd Poc-SLUBSTICK
# Compile with optimizations
gcc -O2 -Wall -Wextra -o slub slub.c -lpthread -lrt
# Run with elevated privileges (recommended for real-time scheduling)
sudo ./slub
# Or run without sudo (slightly reduced timing accuracy)
./slub# Debug build with symbols
gcc -g -O0 -Wall -Wextra -o slub slub.c -lpthread -lrt
# Optimized build with additional warnings
gcc -O3 -Wall -Wextra -Wpedantic -march=native -o slub slub.c -lpthread -lrt
# Static build (portable)
gcc -O2 -static -o slub slub.c -lpthread -lrt# Run the complete analysis
sudo ./slubββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SLUBSTICK Exploitation Technique - PoC β
β β
β Demonstrates race condition between SLUB per-CPU freelist and β
β buddy allocator, enabling cross-cache attacks and UAF exploits β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Configuration:
Target cache: kmalloc-64
Per-CPU pool size: 1024 objects
Slow pool size: 128 pages
Benchmark iterations: 2000
CPU pinning: CPU 0
Page size: 4096 bytes
[β] Pinned to CPU 0 (per-CPU attack simulation)
[β] Real-time scheduling enabled
[*] Priming per-CPU freelist...
[β] Freelist primed with 1024 objects
[*] Running warmup phase...
[β] System stabilized
[*] Running allocation benchmark...
Progress: [ββββββββββββββββββββββββββββββββββββββββββββββββββ] Complete!
The tool outputs three main sections:
- Performance Analysis - Latency statistics for fast/slow paths
- Race Condition Analysis - Exploitable timing windows
- Attack Surface Summary - Exploitation primitives and mitigations
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Application Layer β
β (Controlled Allocations) β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββ
β Per-CPU Freelist Cache β ββββ FAST PATH
β (Lockless, ~50-150ns) β (Exploitable)
ββββββββββββ¬βββββββββββββββββββ
β Cache Miss
βΌ
βββββββββββββββββββββββββββββββ
β Buddy Allocator (mmap) β ββββ SLOW PATH
β (Syscall, ~5,000-15,000ns) β (Race Window)
βββββββββββββββββββββββββββββββ
Mimics SLUB's per-CPU freelist behavior:
- Lockless LIFO structure
- Cache-line prefetching
- O(1) allocation/deallocation
void *fast_alloc(void) {
if (fast_index > 0) {
__builtin_prefetch(&fast_pool[fast_index - 1], 0, 3);
return fast_pool[--fast_index];
}
return NULL;
}Emulates buddy allocator page allocation:
- System call overhead (mmap)
- Page fault handling
- Memory zeroing
void *slow_alloc(void) {
void *ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (ptr != MAP_FAILED) {
memset(ptr, 0, 4096); // Simulate page zeroing
}
return ptr;
}Measures the exploitable window between free and reallocation:
// Time the vulnerable window
clock_gettime(CLOCK_MONOTONIC, &start);
fast_free(victim); // Free object
void *attacker = fast_alloc(); // Attacker allocation
clock_gettime(CLOCK_MONOTONIC, &end);
uint64_t window = nsec_diff(start, end); // Race window in nanosecondsπ Click to view sample output
``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ PERFORMANCE ANALYSIS βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ[FAST PATH - Per-CPU Freelist] Allocations: 1543 Min latency: 42 ns Median (p50): 78 ns p95 latency: 125 ns p99 latency: 187 ns Max latency: 342 ns Avg latency: 84 ns
Fast Path Latency Distribution: Range (ns) Count Graph βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ 0 - 100 1234 ββββββββββββββββββββββββββββββββββββββββββββββββββ 100 - 200 287 βββββββββββ 200 - 300 18 β 300 - 400 4 β
[SLOW PATH - Buddy Allocator] Allocations: 457 Min latency: 4821 ns Median (p50): 8234 ns p95 latency: 14521 ns p99 latency: 18934 ns Max latency: 23847 ns Avg latency: 8642 ns
[EXPLOITATION METRICS] Performance gap: 102.88x slower Timing side-channel: 8558 ns delta Distinguishable: YES (>1ΞΌs)
[RACE CONDITION ANALYSIS] Samples collected: 500 Avg race window: 6234 ns Exploitable windows: 487 (97.40%) Exploitation viable: YES
</details>
### Exploitation Feasibility
| Factor | Status | Notes |
|--------|--------|-------|
| **Timing Side-Channel** | β
Viable | >100x distinguishable gap |
| **Race Window** | β
Viable | 5-10ΞΌs average window |
| **Freelist Control** | β
Viable | Predictable exhaustion |
| **Cross-Cache Attack** | β
Viable | Buddy allocator fallback |
---
## π‘οΈ Exploitation Primitives
### Attack Vector Breakdown
```mermaid
graph TD
A[Attacker Capabilities] --> B{Heap Spray}
A --> C{Timing Control}
B --> D[Fill Per-CPU Cache]
C --> D
D --> E[Exhaust Freelist]
E --> F[Trigger Slow Path]
F --> G[Race Window Opens]
G --> H[UAF / Type Confusion]
H --> I[Privilege Escalation]
-
Allocation Control
- Ability to trigger allocations in target cache (e.g., kmalloc-64)
- Spray heap with controlled data
-
Timing Control
- Trigger allocations at specific times
- Control free/alloc sequences
-
Information Leak
- Timing oracle OR
- Memory disclosure primitive
-
Race Capability
- Execute code during race window (5-10ΞΌs typically sufficient)
# Enable recommended mitigations
CONFIG_SLAB_FREELIST_RANDOM=y # Randomize freelist order
CONFIG_SLAB_FREELIST_HARDENED=y # Obfuscate freelist metadata
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # Zero allocations by default
CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Zero on free| Mitigation | Introduced | Effectiveness |
|---|---|---|
| Freelist Randomization | Linux 4.7 | Moderate |
| Freelist Hardening | Linux 4.14 | High |
| Init-on-alloc | Linux 5.3 | Very High |
| Improved SLUB | Linux 5.17+ | Very High |
- Monitor allocation patterns: Unusual freelist exhaustion
- Timing analysis: Detect repeated slow-path triggers
- KASLR: Makes heap spraying more difficult
- KPTI: Reduces timing precision from userspace
- "The SLAB Allocator: An Object-Caching Kernel Memory Allocator" - Bonwick (1994)
- "SLUB: The Unqueued Slab Allocator" - Corbet (2007)
- "Exploiting the SLUB Allocator" - Wicked (2021)
- CVE-2021-22555 - Netfilter heap overflow
- CVE-2022-29582 - io_uring use-after-free
- CVE-2022-27666 - ESP transformation UAF
- Linux Kernel SLUB Implementation
- Kernel Exploit Development Tutorial
- Project Zero: Exploiting the Linux Kernel
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/improvement) - Make your changes with clear commit messages
- Add tests if applicable
- Submit a pull request
- Follow Linux kernel coding style
- Use 4-space indentation
- Add comments for complex logic
- Include docstrings for functions
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License
Copyright (c) 2026 [alae eddine]
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction...
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β οΈ EDUCATIONAL USE ONLY β
β β
β This code is provided for: β
β β Security research β
β β Educational purposes β
β β Vulnerability analysis β
β β Defense development β
β β
β Unauthorized access to computer systems is illegal. β
β Always obtain proper authorization before testing. β
β β
β The author assumes no liability for misuse of this software. β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[ALae eddine]
- Linux kernel development team for SLUB allocator
- Security researchers who discovered and documented SLUBSTICK
- The InfoSec community for ongoing kernel security research
