From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities 1 Who are We? • Wei Wu @wu_xiao_wei • Visiting scholar at JD.com • Conducting research on software security in Enterprise Settings • Visiting Scholar at Penn State University • Vulnerability analysis • Reverse engineering • Memory forensics • Symbolic execution • Malware dissection • Static analysis • Final year PhD candidate at UCAS • Knowledge-driven vulnerability analysis • Co-founder of CTF team Never Stop Exploiting.(2015) • ctftime 2017 ranking 4th team in China • I am on market. 2 Who are We? (cont) Xinyu Xing • Jimmy Su • Visiting scholar at JD.com • Head of JD security research center • Conducting research on software • Vulnerability identification and exploitation and hardware security in in Enterprise Settings Enterprise Settings • Red Team • Assistant Professor at Penn State • JD IoT device security assessments University • Risk control • Advising PhD students and • Data security conducting many research projects • Container security on • Vulnerability identification • Vulnerability analysis • Exploit development facilitation • Memory forensics • Deep learning for software security • Binary analysis 3 • … What are We Talking about? • Discuss the challenge of exploit development • Introduce an automated approach to facilitate exploit development • Demonstrate how the new technique facilitate mitigation circumvention 4 Background • All software contain bugs, and # of bugs grows with the increase of software complexity • E.g., Syzkaller/Syzbot reports 800+ Linux kernel bugs in 8 months • Due to the lack of manpower, it is very rare that a software development team could patch all the bugs timely • E.g., A Linux kernel bug could be patched in a single day or more than 8 months; on average, it takes 42 days to fix one kernel bug • The best strategy for software development team is to prioritize their remediation efforts for bug fix • E.g. based on its influence upon usability • E.g., based on its influence upon software security • E.g., based on the types of the bugs • … … 5 Background (cont.) • Most common strategy is to fix a bug based on its exploitability • To determine the exploitability of a bug, analysts generally have to write a working exploit, which needs 1) Significant manual efforts 2) Sufficient security expertise 3) Extensive experience in target software 6 Crafting an Exploit for Kernel Use-After-Free Dangling ptr syscall_A(…) syscall_M(…) occurrence Object carefully Proper time selected window to perform Freed heap spray object syscall_B(…) Dangling ptr 1. Use control over program counter (rip) to dereference hijack control flow 2. Use the ability to write arbitrary content to arbitrary address to escalate privilege kernel panic 3. … 7 Challenge 1: Needs Intensive Manual Efforts Dangling ptr syscall_A(…) • Analyze the kernel panic occurrence • Manually track down 1. The site of dangling pointer Freed occurrence and the corresponding object system call 2. The site of dangling pointer dereference and the corresponding syscall_B(…) system call Dangling ptr dereference kernel panic 8 Challenge 2: Needs Extensive Expertise in Kernel • Identify all the candidate objects that syscall_M(…) can be sprayed to the region of the Object freed object carefully • Pinpoint the proper system calls that selected allow an analyst to perform heap spray Freed • Figure out the proper arguments and object context for the system call to allocate the candidate objects 9 Challenge 3: Needs Security Expertise • Find proper approaches to accomplish 1. Use control over program arbitrary code execution or privilege counter (rip) to perform arbitrary code execution escalation or memory leakage 2. Use the ability to write • E.g., chaining ROP arbitrary content to arbitrary • E.g., crafting shellcode address to escalate • … privilege 3. … kernel panic 10 Some Past Research Potentially Tackling the Challenges • Approaches for Challenge 1 • Nothing I am aware of, but simply extending KASAN could potentially solve this problem • Approaches for Challenge 2 • [Blackhat07] [Blackhat15] [USENIX-SEC18] • Approaches for Challenge 3 • [NDSS’11] [S&P16], [S&P17] [NDSS11] Avgerinos et al., AEG: Automatic Exploit Generation. [Blackhat 15] Xu et al., Ah! Universal android rooting is back. [S&P16] Shoshitaishvili et al., Sok:(state of) the art of war: Offensive techniques in binary analysis. [USENIX-SEC18] Heelan et al., Automatic Heap Layout Manipulation for Exploitation. [S&P17] Bao et al., Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. [Blackhat07] Sotirov, Heap Feng Shui in JavaScript 11 12 Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Demonstration with real-world Linux kernel vulnerabilities • Conclusion 13 A Real-World Example (CVE-2017-15649) setsockopt(…) insert a node Head node next next next prev prev prev 14 A Real-World Example (CVE 2017-15649) close(…) free node but not completely removed from the list Head node next next next prev prev prev dangling ptr 15 Challenge 4: No Primitive Needed for Exploitation Obtain an ability to write Node newly unmanageable data to crafted Head node unmanageable address next next next prev prev prev next dangling ptr prev 16 No Useful Primitive == Unexploitable?? Dangling ptr Obtain the primitive – write occurrence unmanageable data to unmanageable region Obtain the primitive – hijack Dangling ptr control flow (control over rip) dereference sendmsg(…) kernel panic 17 Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Evaluation with real-world Linux kernel vulnerabilities • Conclusion 18 FUZE – Extracting Critical Info. User space • Identifying the site of dangling pointer occurrence, and that of its Kernel space dereference; pinpointing the corresponding system calls syscall_B Freed object syscall_A CR4 19 FUZE – Performing Kernel Fuzzing User space • Identifying the site of dangling pointer occurrence, and that of its Kernel space dereference; pinpointing the corresponding system calls syscall_B • Performing kernel fuzzing between syscall_C the two sites and exploring other syscall_D syscall_E panic contexts (i.e., different sites syscall_M where the vulnerable object is dereferenced) syscall_A 20 FUZE – Performing Symbolic Execution User space • Identifying the site of dangling pointer occurrence, and that of its Kernel space dereference; pinpointing the corresponding system calls syscall_B • Performing kernel fuzzing between ? the two sites and exploring other syscall_C panic contexts (i.e., different sites syscall_D syscall_E where the vulnerable object is syscall_M dereferenced) ? • Symbolically execute at the sites of ? the dangling pointer dereference ? Freed Set symbolic value object for each byte ? ? 21 ? Crafting Working Exploits Step by Step Identifying Critical Info. Performing Kernel Fuzzing Symbolic Execution 22 Critical Information Extraction • Goal: identifying following critical information • Vulnerable object syscall_B • Free site • Dereference site Freed • Syscalls in PoC tied to corresponding free and object time dereference window • Time window between free and dereference • Methodology: syscall_A • Instrument the PoC with ftrace and generate ftrace log • instrument kernel with KASAN • Combining both ftrace and KASAN log for analysis 23 Critical Information Extraction (cont) void *task1(void *unused) { • ... Goal: identifying following critical information write_ftrace_marker(1); • Vulnerable object int err = setsockopt(...); Unique ID for each • Free site write_ftrace_marker(1); syscallin PoC • } Dereference site void *task2(void *unused) { • Syscalls in PoC tied to corresponding free and write_ftrace_marker(2); dereference int err = bind(...); • Time window between free and dereference write_ftrace_marker(2); } • Methodology: … • Instrument the PoC with ftrace[1] and generate void loop_race(){ ... ftrace log } • instrument kernel with KASAN[2] int main(){ • Combining both ftrace and KASAN log for analysis ftrace_kmem_trace_enable(); loop_race(); [1] ftrace. https://www.kernel.org/doc/Documentation/trace/ftrace.txt } 24 [2] kasan. https://github.com/google/kasan/wiki Critical Information Extraction (cont) ... BUG: KASAN: use-after-free poc-7271 : tracing_mark_write: executing syscall: setsockopt in dev_add_pack+0x304/0x310 poc-7272 : tracing_mark_write: executing syscall: bind Write of size 8 at addr poc-7271 : kmalloc: call_site=... ptr=ffff88003280e600 ffff88003280ee70 bytes_req=2176 bytes_alloc=4352 gfp_flags=GFP_KERNEL by task poc/2678 ... Call Trace: poc-7271 : tracing_mark_write: finished syscall: setsockopt ... ... poc-7272 : tracing_mark_write: finished syscall: bind Allocated by task 7271: ... ...(allocation trace) poc-2678 : tracing_mark_write: executing syscall: close Freed by task 2678: poc-2678 : kfree: call_site=... ptr=ffff88003280e600 ...(free trace) ... The buggy address belongs poc-2678 : tracing_mark_write: finished syscall: close to the object at poc-2678 : tracing_mark_write: executing syscall: socket ffff88003280e600 ... end of ftrace which belongs to the cache KASAN warning kmalloc-4096 of size 4096 close socket pid:2678 dangling pointer setsockopt free site dereference site pid:7271 allocation site bind pid:7272 25 Critical Information Extraction (cont) void loop_race() { void *task1(void *unused) { ... ... while(1) { int err = setsockopt(fd, fd = socket(AF_PACKET, SOCK_RAW, 0x107, 18, ..., ...); htons(ETH_P_ALL)); } ..