A General Approach to Bypassing Many Kernel Protections and its Mitigation

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 10:20 a.m. (40 minutes)

In the beginning, we will analyze an anecdotal exploit that bypasses KASLR using a flexible object in the Linux kernel implementation. In this talk, we extend the definition of flexible objects to elastic objects and demonstrate that this exploit trick is a general exploitation approach. This approach can be applied to not only the Linux kernel but also FreeBSD and XNU, bypass many protections except KASLR. First, we show that the adversaries could use the elastic objects to easily obtain a leaking primitive for nearly any kernel vulnerabilities with a limited overwriting capability. Second, we demonstrate that this leaking primitive enables the adversaries to bypass heap cookie protector, KASLR, stack canary, and even realize an arbitrary read attack. Third, we design a static analysis technique to identify all such elastic structures/objects in the kernel codebase. Based on this result, finally, we propose an isolation-based defense in the talk as a part of kernel hardening. We quantify its security improvement and measure its performance overhead from different granularities.

Presenters:

• Xinyu Xing - Assistant Professor, The Pennsylvania State University
  Dr. Xinyu Xing is an Assistant Professor at Pennsylvania State University. His research interest includes exploring, designing, and developing new techniques to assess and robustify software. In addition, he is also interested in exploring AI techniques to perform highly accurate binary and malware analysis. His past research has been featured by many mainstream media, such as Technology Review, New Scientists, and NYTimes, etc.
• Zhenpeng Lin - PhD Student, The Pennsylvania State University
  Zhenpeng Lin is a second-year PhD Student advised by Dr. Xinyu Xing at Pennsylvania State University. His research focuses on vulnerability discovery and exploitation. His work was published at CCS 2020. In addition, he plays CTF a lot. As a core member of Nu1L, he won 1st place in BCTF 2017, BCTF 2018, Baidu AI CTF, WCTF Junior, and 4th place in 0CTF/TCTF 2018. In 2019, he participated in DEF CON 27 as a member of Shellphish which ranked 10th in the final.
• Yueqi Chen - PhD Student, The Pennsylvania State University
  <p>Yueqi Chen received his B.Sc degree from Nanjing University in 2017 and is currently a PhD Student with Dr. Xinyu Xing at Pennsylvania State University. He was awarded the IBM PhD Fellowship 2020. His research focuses on OS security and vulnerability analysis. He is particularly interested in the exploitability assessment. Along this thread, he has published 8 papers in top-tier academic conferences, including ACM CCS, USENIX Security, OOPSLA, ACM/IEEE ICSE, and IEEE/ACM ASE as leading authors and co-authors over the past two years. In addition, he presented his works at CLK 2019, Black Hat Europe 2019, BlueHat IL 2020 and LSS Europe 2020. His work has been applied in enterprise security risk early warning and awarded one of ten technical events of JD.com in 2018. He participated in DEF CON 26 CTF Final as a team member of r3kapig in 2018 and ranked 5th in NSA codebreaker 2017.</p>

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#a-general-approach-to-bypassing-many-kernel-protections-and-its-mitigation-22345

Similar Presentations:

• Black Hat Europe 2015 / Attacking the XNU Kernel in El Capitain
• DEF CON 25 (2017) / Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update
• Black Hat Europe 2018 / Eternal War in XNU Kernel Objects