Information Technology Reference
In-Depth Information
Figure 3. Firewall rules deny admission to web server port
node corresponds to one memory bank. A node
is further divided into three zones: zone dma,
zone normal and zone highmem. Zone dma is
the first 16MB reserved for direct memory access
(DMA) transfers. Zone normal spans from 16MB
to 896MB. This is the zone that is used by user
applications and dynamic data requests within
the kernel. This zone and zone dma are linearly
mapped in the kernel virtual address space. Zone
highmem is memory beyond 896MB. This zone
is not linearly mapped and is used for allocations
that require a large amount of contiguous memory
in the virtual address space.
Each zone is always kept balanced by the kernel
memory allocator called the buddy allocator and
the page swapper kswapd . The balance is achieved
using zone watermarks, which are basically indica-
tors for gauging memory pressure in the particular
zone. The zone watermarks have different values
for all the three zones. These are initialized on
startup depending on the number of pages present
in the zones. These three watermarks are called
pages_min , page low and pages_high respectively
as shown in Figure 4. When the number of free
pages in the zones, drops below pages_low pages,
kswapd is woken up. kswapd tries to free pages
by swapping unused pages to the swap store. It
continues this process until the number of pages
reaches pages_high and then goes back to sleep.
When the number of pages reaches pages_min ,
the buddy allocator tries to synchronously free
pages. Note that sometimes the number of free
pages can go below the pages_min , due to atomic
allocations requested by the kernel.
Attack Description: The zone watermarks
for each zone are stored in a global data structure
called zone_table . Zone_table is an array of zone_t
data structures that correspond to each zone. Zone
watermarks are stored inside this data structure.
This symbol is exported even by the 2.6 kernel.
The location of this table can be found by referring
to the System.map file. We wrote a simple kernel
module to corrupt the zone watermarks for the zone
normal memory zone. The original and new values
for these watermarks are shown in Table 1. We
push the pages_min and the pages_low watermarks
very close to the pages_high watermark. We also
make the pages_high watermark very close to the
total number of pages in that zone.
This forces the zone balancing logic to maintain
the number of free pages close to the total number
of pages in that zone, essentially wasting a big
chunk of the physical memory. Table 1 shows that
210065 (820.56 MB) pages are maintained in the
free pool. This attack can be similarly carried out
for other zones as well, wasting almost all memory
installed on the system. The table indicates that
only about 60MB is used and the rest is main-
Search WWH ::




Custom Search