Presented at
Black Hat USA 2022,
Aug. 10, 2022, 4:20 p.m.
(40 minutes).
<div><span>In this talk, we will present novel vulnerabilities and exploitation techniques that reliably bypass Linux syscall tracing. A user mode program does not need any special privileges or capabilities to reliably avoid system call tracing detections by exploiting these vulnerabilities. The exploits work even when seccomp, SELinux, and AppArmor are enforced.</span></div><div><span><br></span></div><div><span>Advanced security monitoring solutions on Linux VMs and containers offer system call monitoring to effectively detect attack behaviors. Linux system calls can be monitored by kernel tracing technologies such as tracepoint, kprobe, ptrace, etc. These technologies intercept system calls at different places in the system call execution. These monitoring solutions can be deployed on cloud compute instances such as AWS EC2, Fargate, EKS, and the corresponding services from other cloud providers.</span></div><div><span><br></span></div><div><span>We comprehensively analyzed the Time-of-check-to-time-of-use (TOCTOU) issues in the Linux kernel syscall tracing framework and showed that these issues can be reliably exploited to bypass syscall tracing. Our exploits manipulate different system interactions that can impact the execution time of a syscall. We demonstrated that significant syscall execution delays can be introduced to make TOCTOU bypass reliable even when seccomp, SELinux, and AppArmor are enforced. Compared to the phantom attacks in DEFCON 29, the new exploit primitives we use do not require precise timing control or synchronization. </span></div><div><span><br></span></div><div><span>We will demonstrate our bypass for Falco on Linux VMs/containers and GKE. We will also demonstrate bypass for pdig on AWS Fargate. In addition, we will demonstrate exploitation techniques for syscall enter and explain the reason why certain configurations are difficult to reliably exploit. Finally, we will summarize exploitable TOCTOU scenarios and discuss potential mitigations in various cloud computing environments.</span></div>
Presenters:
-
Junyuan Zeng
- Senior Software Engineer, Linkedin
Junyuan Zeng is Senior Software Engineer at Linkedin. Before Linkedin, he was Staff Security Architect at JD.com where he designed and architected container security monitoring solutions. Before that he was Staff Software Engineer for mobile payment security at Samsung and a security researcher at FireEye where he worked on mobile malware analysis. He has spoken at Defcon. He has published in ACM CCS, USENIX ATC, and other top academic conferences. He obtained his PhD in Computer Science from The University of Texas at Dallas.
-
Rex Guo
- Principal Engineer, Lacework
Rex Guo is an experienced cyber security engineering leader and a hacker at heart. He is currently a Principal Engineer at Lacework where he leads data-driven cloud security product development and research on new attack vectors in the cloud. Previously, he was the Head of Research at Confluera, a cloud XDR start-up that builds real-time threat storyboards. Before that, he was an Engineering Manager at Tetration, a cloud workload protection start-up acquired by Cisco. Prior to that, Rex worked on application security, infrastructure security, malware analysis, and mobile/IoT security at Intel. He has presented at Black Hat and Defcon multiple times. He has 30+ patents and publications. He received a PhD from New York University.
Links:
Similar Presentations: