English

Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation

Cryptography and Security 2024-11-12 v3 Software Engineering

Abstract

Recently, a novel method known as Page Spray emerges, focusing on page-level exploitation for kernel vulnerabilities. Despite the advantages it offers in terms of exploitability, stability, and compatibility, comprehensive research on Page Spray remains scarce. Questions regarding its root causes, exploitation model, comparative benefits over other exploitation techniques, and possible mitigation strategies have largely remained unanswered. In this paper, we conduct a systematic investigation into Page Spray, providing an in-depth understanding of this exploitation technique. We introduce a comprehensive exploit model termed the \sys model, elucidating its fundamental principles. Additionally, we conduct a thorough analysis of the root causes underlying Page Spray occurrences within the Linux Kernel. We design an analyzer based on the Page Spray analysis model to identify Page Spray callsites. Subsequently, we evaluate the stability, exploitability, and compatibility of Page Spray through meticulously designed experiments. Finally, we propose mitigation principles for addressing Page Spray and introduce our own lightweight mitigation approach. This research aims to assist security researchers and developers in gaining insights into Page Spray, ultimately enhancing our collective understanding of this emerging exploitation technique and making improvements to the community.

Cite

@article{arxiv.2406.02624,
  title  = {Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation},
  author = {Ziyi Guo and Dang K Le and Zhenpeng Lin and Kyle Zeng and Ruoyu Wang and Tiffany Bao and Yan Shoshitaishvili and Adam Doupé and Xinyu Xing},
  journal= {arXiv preprint arXiv:2406.02624},
  year   = {2024}
}

Comments

Published on 33rd USENIX Security Symposium (USENIX Security 24), see https://www.usenix.org/conference/usenixsecurity24/presentation/guo-ziyi

R2 v1 2026-06-28T16:53:27.331Z