Breaking the Glass Sandbox: Find Linux Kernel Bugs and Escape

Presented at REcon 2022, June 3, 2022, 2 p.m. (60 minutes).

Linux kernel bugs are plentiful and also powerful. However, sandboxing limits the amount of kernel code that is reachable from within (like an Android app, for example).

This talk will cover how to discover these reachable code paths and find exploitable bugs in them. This same method can be used for defense - attack surface reduction and hardening! I'll discuss interesting bugs I've found this way and some neat tricks to reach more vulnerable code.

Why does this matter? Targeting exposed code paths yield more valuable bugs. It's also how attackers choose where to closely monitor commits for silent security fixes. For example, anyone can view syzbot bugs, but determining whether it is a usable bug and how to write a simple reproducer is another matter. Attendees of this talk will walk away knowing techniques to do both and how to identify kernel components that are ripe for exploitation.

Linux kernel bugs are powerful and plentiful. However, sandboxing limits the amount of kernel code that is reachable from within (like an Android app, for example).

This talk will cover how to discover these reachable code paths and find exploitable bugs in them. I'll discuss interesting bugs I've found this way and some neat tricks to reach more vulnerable code. This same method can be used for defense - attack surface reduction and hardening!

Why does this matter? Targeting sandboxed exposed code yields more valuable bugs. It's also how attackers choose where to closely monitor commits for silent security fixes. For example, anyone can view syzbot bugs, but determining whether it is a usable bug and how to write a simple reproducer is another matter. Attendees of this talk will walk away knowing techniques to do both and how to identify kernel components that are ripe for exploitation.


Presenters:

  • Valentina Palmiotti
    Security researcher focused on low level vulnerabilities, exploit development, and offensive security.

Links:

Similar Presentations: