From "No Way" to 0-day: Weaponizing the Unweaponizable

Presented at DEF CON 18 (2010), July 31, 2010, 1 p.m. (50 minutes).

Many system administrators take a patch for a denial of service attack to be optional. What's the worst that could happen? Oh no -- a local user could crash the system. We'll just reboot it; MyPhpGresQL.py on Rails is totally transactional, right? Commit messages fixing these sorts of crashes are often characteristically underreported, too: "allows attackers to cause an application crash". In some cases, the descriptions are correct; the worst that can happen is that the system will crash. Too often, though, the risk is under-assessed. Although an application may not be vulnerable to a simple stack-smashing buffer overflow, that's not all that an attacker can do! This talk will take a recent Linux kernel CVE for a denial of service attack and weaponize it to privilege escalation. An understanding of some of the inner workings of the Linux kernel, and of operating system concepts in general, will greatly enhance your experience at this talk, but may not be necessary.

Presenters:

  • Joshua Wise - Graduate Student, Carnegie Mellon University
    Joshua Wise is an Electrical & Computer Engineering undergraduate at Carnegie Mellon University, and has recently been accepted into the master's program. His area of expertise for a long time has been embedded systems, dating back to the days of the iPAQ h3700, when he ported the Linux USB client stack to the open-source bootloader replacement; more recently, he has held internships at Google, Inc., Cavium Networks, and Tilera, and has served as a teaching assistant for Carnegie Mellon's Operating System Design and Implementation (15-410) class for four semesters.

Links:

Similar Presentations: