Your Trash Kernel Bug, My Precious 0-day

Presented at Black Hat Europe 2021, Nov. 10, 2021, 3:20 p.m. (40 minutes).

The advance of kernel fuzzing techniques significantly benefits the discovery of kernel bugs. According to our statistics on Syzbot, Syzkaller has already unveiled more than 2,000 kernel bug reports on Linux over the past two years. From the security analysts' perspectives, a kernel bug report that demonstrates memory corruption usually receives more attention than those exhibiting only WARNING or NULL pointer dereference. It is simply because memory corruption is typically the prerequisite for exploiting the Linux kernel and obtaining unauthorized root privilege.

In this talk, we will introduce a new technical method to turn those bugs with seemingly low-risk into memory corruption vulnerabilities. We will demonstrate how we leverage the proposed technique to escalate Linux kernel non-security bugs into exploitable vulnerabilities. Along with our demonstration, we will show unprecedented exploitability against broadly-adopted Centos and many Centos-based distros like TencentOS and Alibaba Cloud Linux OS. Last but not least, we will release our technical approach as a tool for the community to thoroughly assess a kernel bug's severity and exploitability.


Presenters:

  • Zhenpeng Lin - PhD Student, Penn State
    Zhenpeng Lin is a second-year PhD student advised by Dr. Xinyu Xing at Pennsylvania State University. His research focuses on vulnerability discovery and exploitation. His work was published at CCS 2020. In addition, he plays CTF a lot. As a core member of Nu1L, he won 1st place in BCTF 2017, BCTF 2018, Baidu AI CTF, WCTF Junior, and 4th place in 0CTF/TCTF 2018. In 2019, he participated in DEF CON 27 as a member of Shellphish which ranked 10th in the final.
  • Yueqi Chen - PhD Student, Penn State
    Yueqi Chen received his B.Sc degree from Nanjing University in 2017 and is currently a PhD Student with Dr. Xinyu Xing at Pennsylvania State University. He was awarded the IBM PhD Fellowship in 2020. His research focuses on OS security and vulnerability analysis. He is particularly interested in the exploitability assessment. Along this thread, he has published 8 papers in top-tier academic conferences, including ACM CCS, USENIX Security, OOPSLA, ACM/IEEE ICSE, and IEEE/ACM ASE as a leading author and co-author over the past two years. In addition, he presented his works at CLK 2019, Black Hat Europe 2019, BlueHat IL 2020, LSS Europe 2020, and Black Hat Asia 2021. His work has been applied in enterprise security risk early warning and awarded one of ten technical events of JD.com in 2018. He participated in DEF CON 26 CTF Final as a team member of r3kapig in 2018 and ranked 5th in NSA codebreaker 2017.
  • Xinyu Xing - Assistant Professor, Penn State
    Dr. Xinyu Xing is an Assistant Professor at Pennsylvania State University. His research interest includes exploring, designing, and developing new techniques to assess and robustify software. In addition, he is also interested in exploring AI techniques to perform highly accurate binary and malware analysis. His past research has been featured by many mainstream media outlets, such as Technology Review, New Scientists, and NYTimes, etc.
  • Kang Li - Director of Baidu Security Research, Baidu USA
    Kang Li is the director of Baidu security research. He has spoken at Black Hat multiple times in the past. Dr. Kang Li is the founder and mentor of multiple CTF security teams, including SecDawg and Blue-Lotus. He is also a founder and player of Team Disekt, one of the finalist teams in the 2016 DARPA Cyber Grand Challenge.

Links:

Similar Presentations: