Yueqi Chen
ABSTRACT
To determine the exploitability for a kernel vulnerability, a secu- rity analyst usually has to manipulate slab and thus demonstrate the capability of obtaining the control over a program counter or performing privilege escalation. However, this is a lengthy process because (1) an analyst typically has no clue about what objects and system calls are useful for kernel exploitation and (2) he lacks the knowledge of manipulating a slab and obtaining the desired layout. In the past, researchers have proposed various techniques to facilitate exploit development. Unfortunately, none of them can be easily applied to address these challenges. On the one hand, this is because of the complexity of the Linux kernel. On the other hand, this is due to the dynamics and non-deterministic of slab variations. In this work, we tackle the challenges above from two perspectives. First, we use static and dynamic analysis techniques to explore the kernel objects, and the corresponding system calls useful for exploitation. Second, we model commonly-adopted exploitation methods and develop a technical approach to facilitate the slab layout adjustment. By extending LLVM as well as Syzkaller, we implement our techniques and name their combination after SLAKE. We evaluate SLAKE by using 27 real-world kernel vulnerabilities, demonstrating that it could not only diversify the ways to perform kernel exploitation but also sometimes escalate the exploitability of kernel vulnerabilities.
Supplemental Material
- 2019. Code and Exploits for SLAKE. (2019). https://github.com/chenyueqi/SLAKE.git.Google Scholar
- 0x3f97. 2018. cve-2017--8890 root case analysis. (2018). https://0x3f97.github.io/exploit/2018/08/13/cve-2017--8890-root-case-analysis/.Google Scholar
- Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J. Schwartz, Maverick Woo, and David Brumley. 2014. Automatic Exploit Generation. Commun. ACM57 (2014).Google Scholar
- Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and David Brumley. 2017. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. In Proceedings of the 38th IEEE Symposium on Security and Privacy(S&P).Google ScholarCross Ref
- Daniel P. Bovet and Marco Cesati. 2010. Understanding the Linux Kernel. Elsevier.Google Scholar
- David Brumley, Pongsin Poosankam, Dawn Xiaodong Song, and Jiang Zheng. 2008. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the 29th IEEE Symposium on Security and Privacy(S&P).Google ScholarDigital Library
- Kees Cook. 2010. CVE-2010--2963 v4l compat exploit. (2010). https://outflux.net/blog/archives/2010/10/19/cve-2010--2963-v4l-compat-exploit/.Google Scholar
- The MITRE Corporation. 2019. common Vulnerability and Exposures. (2019). https://cve.mitre.org/cve/.Google Scholar
- SSD Secure Disclosure. 2017. SSD Advisory -- Linux Kernel AF_PACKET Use-After-Free. (2017). https://ssd-disclosure.com/archives/3484.Google Scholar
- Jake Edge. 2014. The kernel address sanitizer. (2014). https://lwn.net/Articles/612153/.Google Scholar
- The FreeBSD Foundation. 2019. The FreeBSD Project. (2019). https://www.freebsd.org/.Google Scholar
- Wolfram Gloger. 2006. Wolfram Gloger's malloc homepage. (2006).http://www.malloc.de/en/.Google Scholar
- google. 2019. syzkaller - kernel fuzzer. (2019). https://github.com/google/syzkaller.Google Scholar
- Samuel Grob. 2014. Linux local root exploit for CVE-2014-0038. (2014). https://github.com/saelo/cve-2014-0038.Google Scholar
- S Heelan, T Melham, and D Kroening. 2018. Automatic Heap Layout Manipulation for Exploitation. In Proceedings of the 27th USENIX Security Symposium(USENIX Security).Google Scholar
- Jann Horn. 2018. A cache invalidation bug in Linux memory management.(2018). https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html.Google Scholar
- Ralf Hund, Thorsten Holz, and Felix C. Freiling. 2009. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Proceedings of the 18th USENIX Security Symposium(USENIX Security).Google Scholar
- ianamason. 2019. Whole Program LLVM: wllvm ported to go. (2019). https://github.com/SRI-CSL/gllvm.Google Scholar
- Kyriakos K. Ispoglou, Bader Al Bassam, Trent Jaeger, and Mathias Payer. 2018. Block Oriented Programming: Automating Data-Only Attacks. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS '18).Google ScholarDigital Library
- Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis. 2014.ret2dir: Rethinking Kernel Isolation. In Proceedings of the 23rd USENIX Security Symposium(USENIX Security).Google Scholar
- Andrey Konovalov. 2017. Exploiting the Linux kernel via packetsockets.(2017). https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html.Google Scholar
- Andrey Konovalov. 2017. A proof-of-concept local root exploit for CVE-2017--6074.(2017). https://github.com/xairy/kernel-exploits/blob/master/CVE-2017--6074/poc.c.Google Scholar
- Lexfo. 2018. CVE-2017--11176: A step-by-step Linux Kernel exploitation. (2018). https://blog.lexfo.fr/cve-2017--11176-linux-kernel-exploitation-part1.html.Google Scholar
- Kangjie Lu, M Walter, David Pfaff, and Stefan Nürnberger and Wenke Lee and Michael Backes. 2017. Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying. In Proceedings of the 2017 Network and Distributed System Security Symposium(NDSS).Google ScholarCross Ref
- Matt Mackall. 2005. slob: introduce the SLOB allocator. (2005). https://lwn.net/Articles/157944/.Google Scholar
- Rohit Mothe and Rodrigo Rubira Branco. 2016. DPTrace: Dual Purpose Trace for Exploitability Analysis of Program Crashes. In Black Hat USA Briefings.Google Scholar
- Vitaly Nikolenko. 2016. CVE-2014--2851 group_info UAF Exploitation. (2016). https://cyseclabs.com/page?n=02012016.Google Scholar
- Jon Oberheide. 2010. Linux Kernel CAN SLUB Overflow. (2010). https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/.Google Scholar
- Shankara Pailoor, Andrew Aday, and Suman Jana. 2018. MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. In Proceedings of the 27th USENIX Security Symposium(USENIX Security).Google Scholar
- Christopher M. Penalver. 2016. How to triage bugs. (2016). https://wiki.ubuntu.com/Bugs/Importance.Google Scholar
- Enrico Perla and Massimiliano Oldani. 2010.A Guide to Kernel Exploitation. Elsevier.Google Scholar
- Alexander Popov. 2017. CVE-2017--2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP. (2017). https://a13xp0p0v.github.io/2017/03/24/CVE-2017--2636.html.Google Scholar
- Android Open Source Project. 2019. Common Android Kernel Tree. (2019). https://android.googlesource.com/kernel/common/.Google Scholar
- LLVM Project. 2019. LLVM 6.0.0 Release Notes. (2019). http://releases.llvm.org/6.0.0/docs/ReleaseNotes.html.Google Scholar
- Dusan Repel, Johannes Kinder, and Lorenzo Cavallaro. 2017. Modular Synthesis of Heap Exploits. In ACM SIGSAC Workshop on Programming Languages and Analysis for Security(PLAS).Google Scholar
- Steven Rostedt. 2009. Debugging the kernel using Ftrace. (2009). https://lwn.net/Articles/365835/.Google Scholar
- Chris Salls. 2017. Exploiting CVE-2017--5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!(2017). https://salls.github.io/Linux-Kernel-CVE-2017--5123/.Google Scholar
- Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS).Google ScholarCross Ref
- Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK:(State of) The Art of War: Offensive Techniquesin Binary Analysis. In Proceedings of the 37th IEEE Symposium on Security and Privacy(S&P).Google ScholarCross Ref
- Richard M. Stallman. 2019. GNU Debugger. (2019). https://www.gnu.org/software/gdb/.Google Scholar
- Nick Stephens, John Grosen, Christopher Salls, Audrey Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS).Google ScholarCross Ref
- Dmitry Vyukov. 2018. syzbot and the tale of thousand kernel bugs. (2018). https://events.linuxfoundation.org/wp-content/uploads/2017/11/Syzbot-and-the-Tale-of-Thousand-Kernel-Bugs-Dmitry-Vyukov-Google.pdf.Google Scholar
- Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Improving Integer Security for Systems with KINT. In Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation(OSDI).Google Scholar
- Yan Wang, Chao Zhang, Xiaobo Xiang, Zixuan Zhao, Wenjie Li, Xiaorui Gong, Bing Chang Liu, Kaixiang Chen, and Wei Zou. 2018. Revery: From Proof-of-Concept to Exploitable. In Proceedings of the 25nd ACM SIGSAC Conference on Computer and Communications Security(CCS).Google ScholarDigital Library
- Wei Wu, Yueqi Chen, Xinyu Xing, and Wei Zou. 2019. KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities. In Proceedings of the 28th USENIX Security Symposium(USENIX Security).Google Scholar
- Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Wei Zou, and Xiaorui Gong. 2018. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium(USENIX Security).Google Scholar
- ww9210. 2019. exploit code for a bpf heap overflow vulnerability. (2019). https://github.com/ww9210/kernel4.20_bpf_LPE.Google Scholar
- Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS).Google ScholarDigital Library
- Masahiro Yamada and Jani Nikula. 2019. kcov:code coverage for fuzzing. (2019). https://github.com/torvalds/linux/blob/master/Documentation/dev-tools/kcov.rst.Google Scholar
- Wei You, Peiyuan Zong, Kai Chen, Xiao Feng Wang, Xiaojing Liao, Pan Bian,and Bin Liang. 2017. SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security(CCS).Google ScholarDigital Library
Index Terms
- SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel
Recommendations
DirtyCred: Escalating Privilege in Linux Kernel
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityThe kernel vulnerability DirtyPipe was reported to be present in nearly all versions of Linux since 5.8. Using this vulnerability, a bad actor could fulfill privilege escalation without triggering existing kernel protection and exploit mitigation, ...
A Systematic Study of Elastic Objects in Kernel Exploitation
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityRecent research has proposed various methods to perform kernel exploitation and bypass kernel protection. For example, security researchers have demonstrated an exploitation method that utilizes the characteristic of elastic kernel objects to bypass ...
Attack Intent Analysis Method Based on Attack Path Graph
ICCNS '19: Proceedings of the 2019 9th International Conference on Communication and Network SecurityWith the rapid development of network technology, network security problems are gradually increasing, and the network attack situation is very severe. In a complex attack scenario, timely detection of potential attack behaviors and timely identification ...
Comments