fuze towards facilitating exploit generation for kernel
play

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- - PowerPoint PPT Presentation

Mar 23, 2023 •480 likes •782 views

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

  1. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of Sciences 2. College of Information Sciences and Technology, Pennsylvania State University 3. CAS-KLONAT, BKLONSPT, Institute of Information Engineering 27th Usenix Security Symposium August, 16 th , 2018 1

  2. What are We Talking about? • Discuss the challenge of exploit development • Introduce an approach to facilitate exploit development • Demonstrate how the new technique facilitate mitigation circumvention 2

  3. Background • All software contain bugs, and # of bugs grows with the increase of software complexity • E.g., Syzkaller/Syzbot reports 800+ Linux kernel bugs in 8 months • Due to the lack of manpower, it is very rare that a software development team could patch all the bugs timely • E.g., A Linux kernel bug could be patched in a single day or more than 8 months; on average, it takes 42 days to fix one kernel bug • The best strategy for software development team is to prioritize their remediation efforts for bug fix • E.g. based on its influence upon usability • E.g., based on its influence upon software security • E.g., based on the types of the bugs • … … 3

  4. Background (cont.) • Most common strategy is to fix a bug based on its exploitability • To determine the exploitability of a bug, analysts generally have to write a working exploit, which needs 1) Significant manual efforts 2) Sufficient security expertise 3) Extensive experience in target software 4

  5. Crafting an Exploit for Kernel Use-After-Free Dangling ptr syscall_A(…) syscall_S(…) occurrence Object carefully Proper time selected window to perform Freed heap spray object syscall_B(…) Dangling ptr 1. Use control over program counter (rip) to dereference hijack control flow 2. Use the ability to write arbitrary content to arbitrary address to escalate privilege kernel panic 3. … 5

  6. Challenge 1: Needs Intensive Manual Efforts Dangling ptr syscall_A(…) • Analyze the kernel panic occurrence • Manually track down Freed 1. The site of dangling pointer object occurrence and the corresponding system call 2. The site of dangling pointer syscall_B(…) dereference and the corresponding Dangling ptr system call dereference kernel panic 6

  7. Challenge 2: Needs Extensive Expertise in Kernel • Identify all the candidate objects that syscall_M(…) can be sprayed to the region of the Object freed object carefully selected • Pinpoint the proper system calls that allow an analyst to perform heap spray Freed • Figure out the proper arguments and object context for the system call to allocate the candidate objects 7

  8. Challenge 3: Needs Security Expertise 1. Use control over program • Find proper approaches to accomplish counter (rip) to perform arbitrary code execution or privilege arbitrary code execution escalation or memory leakage 2. Use the ability to write • E.g., chaining ROP arbitrary content to arbitrary • E.g., crafting shellcode address to escalate • … privilege 3. … kernel panic 8

  9. Some Past Research Potentially Tackling the Challenges • Approaches for Challenge 1 • Nothing I am aware of, but simply extending KASAN could potentially solve this problem • Approaches for Challenge 2 • [Blackhat07] [CCS’ 16] [USENIX-SEC18],... • Approaches for Challenge 3 • [NDSS’11] [S&P16], [S&P17],... [NDSS11] Avgerinos et al., AEG: Automatic Exploit Generation. [CCS 16] Xu et al., From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. [S&P16] Shoshitaishvili et al., Sok:(state of) the art of war: Offensive techniques in binary analysis. [USENIX-SEC18] Heelan et al., Automatic Heap Layout Manipulation for Exploitation. [S&P17] Bao et al., Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. [Blackhat07] Sotirov, Heap Feng Shui in JavaScript 9

  10. Some Past Research Potentially Tackling the Challenges • Approaches for Challenge 1 • Nothing I am aware of, but simply extending KASAN could potentially solve this problem • Approaches for Challenge 2 Problem unsolved. • [Blackhat07] [CCS’ 16] [USENIX-SEC18] • Approaches for Challenge 3 • [NDSS’11] [S&P16], [S&P17] [NDSS11] Avgerinos et al., AEG: Automatic Exploit Generation. [CCS 16] Xu et al., From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. [S&P16] Shoshitaishvili et al., Sok:(state of) the art of war: Offensive techniques in binary analysis. [USENIX-SEC18] Heelan et al., Automatic Heap Layout Manipulation for Exploitation. [S&P17] Bao et al., Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. [Blackhat07] Sotirov, Heap Feng Shui in JavaScript 10

  11. Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Evaluation with real-world Linux kernel vulnerabilities • Conclusion 11

  12. A Real-World Example (CVE-2017-15649) setsockopt(…) insert a node Head node next next next prev prev prev 12

  13. A Real-World Example (CVE-2017-15649) close(…) free node but not completely removed from the list Head node next next next prev prev prev dangling ptr 13

  14. Challenge 4: No Primitive Needed for Exploitation Obtain an ability to write Node newly unmanageable data to crafted unmanageable address Head node next next next prev prev prev prev next prev dangling ptr 14

  15. No Useful Primitive == Unexploitable?? Dangling ptr Obtain the primitive – write occurrence unmanageable data to unmanageable region Obtain the primitive – hijack control flow (control over rip) Dangling ptr dereference sendmsg(…) kernel panic 15

  16. Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Evaluation with real-world Linux kernel vulnerabilities • Conclusion 16

  17. FUZE – Extracting Critical Info. User space • Identifying the site of dangling Kernel space pointer occurrence, and that of its dereference; pinpointing the corresponding system calls syscall_B Freed object syscall_A CR4 17

  18. FUZE – Performing Kernel Fuzzing User space • Identifying the site of dangling Kernel space pointer occurrence, and that of its dereference; pinpointing the corresponding system calls syscall_B • Performing kernel fuzzing between the two sites and exploring other syscall_C syscall_D syscall_E panic contexts (i.e., different sites syscall_M where the vulnerable object is dereferenced) syscall_A 18

  19. FUZE – Performing Symbolic Execution • Identifying the site of dangling pointer User space occurrence, and that of its dereference; pinpointing the corresponding system Kernel space calls • Performing kernel fuzzing between the two sites and exploring other panic syscall_B ? contexts (i.e., different sites where the vulnerable object is dereferenced) syscall_C syscall_D syscall_E • Symbolically execute at the sites of the syscall_M dangling pointer dereference ? ? Set symbolic value ? Freed object for each byte ? ? ? 19

  20. Useful primitive identification mov rax, qword ptr[evil_ptr] • Unconstrained state call rax • state with symbolic Instruction pointer stack pivot gadget: • symbolic callback xchg eax, esp; ret • double free • e.g. mov rdi, uaf_obj; call kfree • write-what-where • e.g. write arbitrary value write SMAP disable gadget: mov cr4, rdi ; ret 20

  21. Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Evaluation with real-world Linux kernel vulnerabilities • Conclusion 21

  22. Case Study # of public exploits # of generated exploits CVE-ID SMEP SMAP SMEP SMAP 2017-17053 0 0 1 0 2017-15649* 0 0 3 2 • 15 real-world UAF kernel 2017-15265 0 0 0 0 vulnerabilities 2017-10661* 0 0 2 0 2017-8890 1 0 1 0 • Only 5 vulnerabilities have 2017-8824* 0 0 2 2 demonstrated their exploitability 2017-7374 0 0 0 0 against SMEP 2016-10150 0 0 1 0 2016-8655 1 1 1 1 • Only 2 vulnerabilities have 2016-7117 0 0 0 0 demonstrated their exploitability 2016-4557* 1 1 4 0 2016-0728* 1 0 3 0 against SMAP 2015-3636 0 0 0 0 2014-2851* 1 0 1 0 2013-7446 0 0 0 0 overall 5 2 19 5 22 *: discovered new dereference by fuzzing

  23. Case Study (cont) # of public exploits # of generated exploits CVE-ID SMEP SMAP SMEP SMAP 2017-17053 0 0 1 0 2017-15649 0 0 3 2 • FUZE helps track down useful 2017-15265 0 0 0 0 2017-10661 0 0 2 0 primitives, giving us the power to 2017-8890 1 0 1 0 • Demonstrate exploitability against 2017-8824 0 0 2 2 SMEP for 10 vulnerabilities 2017-7374 0 0 0 0 • Demonstrate exploitability against 2016-10150 0 0 1 0 2016-8655 1 1 1 1 SMAP for 2 more vulnerabilities 2016-7117 0 0 0 0 • Diversify the approaches to perform 2016-4557 1 1 4 0 kernel exploitation 2016-0728 1 0 3 0 • 5 vs 19 (SMEP) 2015-3636 0 0 0 0 • 2 vs 5 (SMAP) 2014-2851 1 0 1 0 2013-7446 0 0 0 0 overall 5 2 19 5 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15,

920 views • 49 slides
ZFS Enhancing the Open Source Storage System (and the Kernel) 1 Christian Kendi Who am I?

ZFS Enhancing the Open Source Storage System (and the Kernel) 1 Christian Kendi Who am I?

ZFS Enhancing the Open Source Storage System (and the Kernel) 1 Christian Kendi Who am I? Soy Christian Kendi I do IT-Security Consultant (Kernel)-Developer Penetration tester Exploit coder CEO & Founder of

591 views • 35 slides
Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher Under-Approximating Loops in C Programs for Fast Counterexample Detection Daniel Kroening, Matt Lewis, Georg Weissenbacher, CAV 2013

373 views • 25 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating systems internals Exploit mitigations

2.17k views • 100 slides
aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

613 views • 48 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Facilitating Evaluation Use Facilitating Evaluation Use through through 1 Effective

Facilitating Evaluation Use Facilitating Evaluation Use through through 1 Effective

Facilitating Evaluation Use Facilitating Evaluation Use through through 1 Effective Communicating & Reporting 1 Effective Communicating & Reporting Rosalie T. Torres, Ph.D. Torres Consulting Group 1028 College Ave. Alameda, CA 94501

1.35k views • 77 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green line: mean 2 50 60 70 80 90 100 last time stack smashing particular exploit technique for bufger overfmows bufger overfmow = out-of-bounds

1.4k views • 71 slides
FengShui Fengshuiisthestudyofhowhumansinteract

FengShui Fengshuiisthestudyofhowhumansinteract

FengShui Fengshuiisthestudyofhowhumansinteract withtheirenvironment. Theaimistocreateenvironmentswherethe peoplelivingandworkingtherecanbest

499 views • 21 slides
!"#$%&'()% Feng shui is the study of how humans interact with their environment.

!"#$%&'()% Feng shui is the study of how humans interact with their environment.

!"#$%&'()% Feng shui is the study of how humans interact with their environment. The aim is to create environments where the people living and working there can best succeed. Feng shui is based on the idea that people react

535 views • 25 slides
Supporting Scholarly Search with Keyqueries Matthias Hagen Anna Beyer Tim Gollub Kristof

Supporting Scholarly Search with Keyqueries Matthias Hagen Anna Beyer Tim Gollub Kristof

Supporting Scholarly Search with Keyqueries Matthias Hagen Anna Beyer Tim Gollub Kristof Komlossy Benno Stein Bauhaus-Universit at Weimar matthias.hagen@uni-weimar.de @matthias_hagen ECIR 2016 Padova, Italy March 23, 2016 Hagen,

618 views • 34 slides
Congressional Budget Office June 9, 2016 Communicating Budgetary and Economic Information, With

Congressional Budget Office June 9, 2016 Communicating Budgetary and Economic Information, With

Congressional Budget Office June 9, 2016 Communicating Budgetary and Economic Information, With Style, at the Congressional Budget Office Fourth Annual Global Network of Parliamentary Budget Officers Assembly World Bank Headquarters, Washington,

670 views • 27 slides
B - Lay Tong : Stands for B - Be yourself Lay - Talay (Sea) Tong - Patong beach. Every room at

B - Lay Tong : Stands for B - Be yourself Lay - Talay (Sea) Tong - Patong beach. Every room at

B - Lay Tong : Stands for B - Be yourself Lay - Talay (Sea) Tong - Patong beach. Every room at the B-Lay Tong Phuket, has been designed and decorated in the four dominant colors according to Feng Shui principals: - Red - Fire - Blue - Water -

421 views • 19 slides
Those aged 30 & above Young Professionals Working Adults Family Members

Those aged 30 & above Young Professionals Working Adults Family Members

PTGY'13 is a planning and educational-focused exhibition involving the lifestyle, investment and property sectors aiming at maintaining the pre-retirement standard of living, self sufficient financial status and improved healthy lifestyle.

358 views • 6 slides
Drainage Services Department Research & Development Forum 2015 (R&D Forum 2015) (18

Drainage Services Department Research & Development Forum 2015 (R&D Forum 2015) (18

Drainage Services Department Research & Development Forum 2015 (R&D Forum 2015) (18 November 2015) Keynote Speech Living beside Water by Ir. Eric MA, Under Secretary for Development (9:20 9:35) 1. Good morning ladies and

259 views • 5 slides
1 st Quarter 2015 Investors Briefing Financial and Operating Results May 7, 2015 1 ABS-CBN

1 st Quarter 2015 Investors Briefing Financial and Operating Results May 7, 2015 1 ABS-CBN

1 st Quarter 2015 Investors Briefing Financial and Operating Results May 7, 2015 1 ABS-CBN Investor Presentation Revenues - Reported For the period ended March 31, 2015 9,000 8,391 8,191 2.4% 8,000 7,000 4,255 4,111 6,000 3.5%

398 views • 17 slides

More recommend