CS SEMINAR

KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities

Speaker
Mr Weiteng Chen, Ph.D. student, University of California, Riverside
Chaired by
Dr LIANG Zhenkai, Associate Professor, School of Computing
liangzk@comp.nus.edu.sg

20 Nov 2019 Wednesday, 01:30 PM to 03:00 PM

Executive Classroom, COM2-04-02

Abstract:

The monolithic nature of modern OS kernels leads to a constant stream of bugs being discovered. It is often unclear which of these bugs are worth fixing, as only a subset of them may be serious enough to lead to security takeovers (i.e., privilege escalations). Therefore, researchers have recently started to develop automated exploit generation techniques (for UAF bugs) to assist the bug triage process.

In this paper, we investigate another top memory vulnerability in Linux kernel - out-of-bounds (OOB) memory write from heap. We design KOOBE to assist the analysis of such vulnerabilities based on two observations: (1) Surprisingly often, different OOB vulnerability instances exhibit a wide range of capabilities. (2) Kernel exploits are multi-interaction in nature (i.e., multiple syscalls are involved in an exploit) which allows the exploit crafting process to be modular. Specifically, we focus on the extraction of capabilities of an OOB vulnerability which will feed the subsequent exploitability evaluation process. Our system builds on several building blocks, including a novel capability-guided fuzzing solution to uncover hidden capabilities, and a way to compose capabilities together to further enhance the likelihood of successful exploitations. In our evaluation, we demonstrate the applicability of KOOBE by exhaustively analyzing 17 most recent Linux kernel OOB vulnerabilities (where only 5 of them have publicly available exploits), for which KOOBE successfully generated candidate exploit strategies for 11 of them (including 5 that do not even have any CVEs assigned). Subsequently from these strategies, we are able to construct fully working exploits for all of them.


Biodata:

Weiteng Chen is a third-year Ph.D. student in computer science and engineering department at University of California, Riverside, where he is working with professor Zhiyun Qian. He is interested in network security and side channel attacks and defenses. His interests also lie in computer system, Android security, binary program analysis and vulnerability discovery. Along the thread, he has published two papers in USENIX security as the lead author. Besides, he has won IRTF 2019 Applied Networking Research Prize and a $15,000 award at GeekPwn International Security Geek Contest 2017 Silicon Valley. Before landing in UCR, he graduated from the CS department of Peking University.