Information Technology Reference
In-Depth Information
Figure 3. Firewall rules deny admission to web server port
node corresponds to one memory bank. A node
is further divided into three zones: zone dma,
zone normal and zone highmem. Zone dma is
the first 16MB reserved for direct memory access
(DMA) transfers. Zone normal spans from 16MB
to 896MB. This is the zone that is used by user
applications and dynamic data requests within
the kernel. This zone and zone dma are linearly
mapped in the kernel virtual address space. Zone
highmem is memory beyond 896MB. This zone
is not linearly mapped and is used for allocations
that require a large amount of contiguous memory
in the virtual address space.
Each zone is always kept balanced by the kernel
memory allocator called the
buddy allocator
and
the page swapper
kswapd
. The balance is achieved
using zone watermarks, which are basically indica-
tors for gauging memory pressure in the particular
zone. The zone watermarks have different values
for all the three zones. These are initialized on
startup depending on the number of pages present
in the zones. These three watermarks are called
pages_min
,
page low
and
pages_high
respectively
as shown in Figure 4. When the number of free
pages in the zones, drops below
pages_low
pages,
kswapd
is woken up.
kswapd
tries to free pages
by swapping unused pages to the swap store. It
continues this process until the number of pages
reaches
pages_high
and then goes back to sleep.
When the number of pages reaches
pages_min
,
the buddy allocator tries to synchronously free
pages. Note that sometimes the number of free
pages can go below the
pages_min
, due to atomic
allocations requested by the kernel.
Attack Description:
The zone watermarks
for each zone are stored in a global data structure
called
zone_table
.
Zone_table
is an array of
zone_t
data structures that correspond to each zone. Zone
watermarks are stored inside this data structure.
This symbol is exported even by the 2.6 kernel.
The location of this table can be found by referring
to the System.map file. We wrote a simple kernel
module to corrupt the zone watermarks for the zone
normal memory zone. The original and new values
for these watermarks are shown in Table 1. We
push the
pages_min
and the
pages_low
watermarks
very close to the
pages_high
watermark. We also
make the
pages_high
watermark very close to the
total number of pages in that zone.
This forces the zone balancing logic to maintain
the number of free pages close to the total number
of pages in that zone, essentially wasting a big
chunk of the physical memory. Table 1 shows that
210065 (820.56 MB) pages are maintained in the
free pool. This attack can be similarly carried out
for other zones as well, wasting almost all memory
installed on the system. The table indicates that
only about 60MB is used and the rest is main-
Search WWH ::
Custom Search