Netlink is a socket family designed for interprocess communication (IPC) between the kernel and userspace processes since 1999 with Linux 2.2. With the popularity of Android operating system, it is widely used in the Android kernel modules. Despite its capabilities, Netlink is often overlooked by security researchers due to the strong dominance of ioctl in userspacekernelspace communication. Its programming complexity compared to ioctl also increases the chance of developers introducing security vulnerabilities. Therefore, Netlink has actually become a hidden attack surface buried deep in the Android ecosystem.

During our research, we found Netlink can be divided into two categories according to its usage, Classic Netlink and Generic Netlink. Each category consists of two message processing flows in the kernel due to its fullduplex characteristic, topdown message parsing and bottomup message building. Following this idea, we summarized four threat models and analyzed typical vulnerability scenarios for each threat model. Based on these scenarios, we investigated Netlinkrelated kernel modules from 4 wellknown vendors and discovered 30+ security vulnerabilities, and obtained 12 CVEs. Most vulnerabilities have been confirmed, and can lead to serious consequences such as privilege escalation.

In this talk, we will first dive into the Netlink mechanism in the Linux kernel, and then illustrate the security threats of Netlink usage scenarios according to four threat models. Next, we will introduce the analysis, verification and exploitation of Netlinkrelated vulnerabilities. Finally, we will provide vendors with some security suggestions for using Netlink through vulnerabilities statistics and root cause analysis.

By:
Chao Ma | Security Researcher, Baidu Security
Han Yan | Security Researcher, Baidu Security
Tim Xia | Security Researcher, Baidu Security

Presentation Materials Available:
https://www.blackhat.com/asia24/brie...