Mayhem: Targeted Corruption of Register and Stack Variables

["Tol, Caner" <mtol () wpi edu>]

Our recent paper<https://arxiv.org/pdf/2309.02545.pdf> [AsiaCCS'24] describes a potential vulnerability where 
stack/register variables can be flipped via fault injection, affecting execution flow in security-sensitive code. There 
are mitigation strategies you may be interested in incorporating into your code:

 Take this vulnerable code, for example:

int auth = 0;

//password check code that sets auth variable

if(auth != 0)

return AUTH_SUCCESS;

else

return AUTH_FAILURE;

The idea is that any bit can be flipped in auth, and it will result in a mis-authentication. We prove this is a 
potential vulnerability in OpenSSH, OpenSSL, MySQL, and SUDO. To mitigate this, it is important to have tight logic 
such that a single-bit flip will not result in unintended execution. For example:

int auth = 0xbe405d1a;

// password check code that sets auth variable to 0x23ab9701 is successful

If(auth == 0x23ab9701)

               return AUTH_SUCCESS;

else

               return AUTH_FAILURE;

In this case, the auth variable must be corrupted into the exact authentication pattern, which is fairly improbable.



We issued CVE-2023-42465 for SUDO for this vulnerability.

Here is the patch implemented in v1.9.15.

https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f

Paper link: https://arxiv.org/abs/2309.02545



Caner Tol
___________________________
Worcester Polytechnic Institute
https://vernamlab.org<https://vernamlab.org/>