The Techniques of Automated Manipulating Code Generation for Spray Objects to Facilitate Kernel Vulnerability Exploitation

doi:10.19678/j.issn.1000-3428.0068783

Abstract

Abstract: Developing exploits for vulnerabilities is the main way to evaluate the exploitability of kernel vulnerabilities. Spray objects are widely used in the exploitation process to complete malicious behaviors such as malicious content injection and memory layout manipulation. The current researches on spray objects have limitations in two aspects: (1) Spray objects with basic types are ignored; (2) no work can generate the code to edit the contents of spray objects. Therefore, this paper proposes the techniques of automatically generating code to manipulate spray objects for kernel vulnerability exploitation. The techniques consist of spray object identification based on use-define chain analysis and spray object control code generation based on directed fuzzing. The experimental results show that the techniques can identify and generate the control code of 28 spray objects in Linux kernel version 5.15, which can cover all the spray objects identified by the existing work. A total of 23 generated codes can control the spray object to achieve the expected target, with a success rate of 82.1%. The case analysis shows that the control code generated by the techniques can be applied to the exploitation of real-world kernel vulnerabilities.

摘要： 为漏洞开发利用程序是评估内核漏洞可利用性的主要方式。堆喷对象在漏洞利用过程中被广泛使用，以完成数据注入、内存布局等恶意行为。现有对堆喷对象的研究存在两类局限：（1）忽略了类型为基本类型的堆喷对象；（2）无法生成能够编辑堆喷对象内容的代码。因此，提出面向内核漏洞利用的堆喷对象控制代码自动化生成技术。该技术包含了基于使用-定义链分析的堆喷对象识别和基于导向式模糊测试的堆喷对象控制代码生成。实验表明，该技术能够在Linux5.15版本的内核中识别并生成28个堆喷对象的控制代码，覆盖了现有研究识别到的所有堆喷对象。生成的控制代码中共有23个能控制堆喷对象完成预期目标，成功率为82.1%。通过案例分析表明，该技术生成的控制代码可以应用于真实内核漏洞的利用程序开发中。

LIU Zhuang, GU Kangzheng, TAN Xin, ZHANG Yuan. The Techniques of Automated Manipulating Code Generation for Spray Objects to Facilitate Kernel Vulnerability Exploitation[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0068783.

刘壮, 顾康正, 谈心, 张源. 面向内核漏洞利用的堆喷对象控制代码自动化生成技术[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0068783.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0068783

References

[1] Chen Y, Xing X. Slake: Facilitating slab manipulation for exploiting vulnerabilities in the linux kernel[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 1707-1722.
[2] 刘剑, 苏璞睿, 杨珉, 等.软件与网络安全研究综述[J]. 软件学报,2018,29(1):42-68 (Liu J, Su PR, Yang M, et al. Software and cyber security—A survey[J]. Ruan Jian Xue Bao/Journal of Software, 2018,29(1):42-68.)
[3] Kemerlis V P, Polychronakis M, Keromytis A D. Ret2dir: rethinking kernel isolation[C]//23rd USENIX Security Symposium (USENIX Security 14). 2014: 957-972.
[4] M. Jurczyk, G. Coldwind. Smep: What is it, and How to Beat it on Windows[EB/OL]. [2023-11-03]. https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-h ow-to-beat-it-on-windows/.
[5] WIKIVERSITY. Supervisor Mode Access Prevention[EB/OL]. [2023-11-03]. https://en.wikipedia.org/wiki/Supervisor_Mode_Access_P revention.
[6] Kemerlis V P, Portokalidis G, Keromytis A D. kGuard: lightweight kernel protection against return-to-user attacks[C]//21st USENIX Security Symposium (USENIX Security 12). 2012: 459-474.
[7] Xu W, Li J, Shu J, et al. From collision to exploitation: unleashing use-after-free vulnerabilities in linux kernel[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 414-425.
[8] Lin Z, Wu Y, Xing X. Dirtycred: escalating privilege in linux kernel[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022: 1963-1976.
[9] Avgerinos T, Cha S K, Rebert A, et al. Automatic exploit generation[J]. Communications of the ACM, 2014, 57(2): 74-84.
[10] 赵尚儒, 李学俊, 方越, 等. 安全漏洞自动利用综述[J]. 计算机研究与发展, 2019, 56(10): 2097-2111. (Zhao Shangru, Li Xuejun, Fang Yue, et al. A Survey on Automated Exploit Generation[J]. Journal of Computer Research and Development, 2019, 56(10): 2097-2111.)
[11] 冯光升, 张熠哲, 孙嘉钰, 等. 计算机系统漏洞自动化利用研究关键技术及进展[J]. 信息网络安全, 2022, 22(3): 39-52. (Feng Guangsheng, Zhang Yizhe, Sun Jiayu, et al. Key Technologies and Advances in the Research on Automated Exploitation of Computer System Vulnerabilities[J]. Netinfo Security, 2022, 22(3): 39-52.)
[12] 张利群, 潘祖烈, 黄晖, 等. 基于符号执行的 Tcache Poisoning 堆漏洞自动验证方法研究[J]. 计算机工程, 2023, 49(6): 24-33. (Zhang Liqun, Pan Zulie, Huang Hui, et al. Research on Automatic Verification Method of Tcache Poisoning Heap Vulnerability Based on Symbolic Execution[J]. Computer Engineering, 2023, 49(6): 24-33.)
[13] Wu W, Chen Y, Xu J, et al. Fuze: towards facilitating exploit generation for kernel use-after-freevulnerabilities[C]//27th USENIX Security Symposium (USENIX Security 18). 2018: 781-797.
[14] Chen W, Zou X, Li G, et al. Koobe: towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities[C]//29th USENIX Security Symposium (USENIX Security 20). 2020: 1093-1110.
[15] Lu K, Walter M T, Pfaff D, et al. Unleashing use-before-initialization vulnerabilities in the linux kernel using targeted stack spraying[C]//NDSS. 2017.
[16] Cho H, Park J, Kang J, et al. Exploiting uses of uninitialized stack variables in linux kernels to leak kernel pointers[C]//14th USENIX Workshop on Offensive Technologies (WOOT 20). 2020.
[17] Liu D, Wang P, Zhou X, et al. Erace: toward facilitating exploit generation for kernel race vulnerabilities[J]. Applied Sciences, 2022, 12(23): 11925.
[18] Lee Y, Min C, Lee B. Exprace: exploiting kernel races through raising interrupts[C]//30th USENIX Security Symposium (USENIX Security 21). 2021: 2363-2380.
[19] Lin Z, Chen Y, Wu Y, et al. Grebe: unveiling exploitation potential for linux kernel bugs[C]//2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022: 2078-2095.
[20] Zou X, Li G, Chen W, et al. Syzscope: revealing high-risk security impacts of fuzzer-exposed bugs in linux kernel[C]//31st USENIX Security Symposium (USENIX Security 22). 2022: 3201-3217.
[21] Wu W, Chen Y, Xing X, et al. {KEPLER}: Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities[C]//28th USENIX Security Symposium (USENIX Security 19). 2019: 1187-1204.
[22] Zeng K, Chen Y, Cho H, et al. Playing for K (H) eaps: understanding and improving linux kernel exploit reliability[C]//31st USENIX Security Symposium (USENIX Security 22). 2022: 71-88.
[23] Lee Y, Kwak J, Kang J, et al. Pspray: timing side-channel based linux kernel heap exploitation technique[C]//32nd USENIX Security Symposium (USENIX Security 23). 2023: 6825-6842.
[24] Chen Y, Lin Z, Xing X. A systematic study of elastic objects in kernel exploitation[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1165-1184.
[25] Liu D, Wang P, Zhou X, et al. From release to rebirth: exploiting thanos objects in linux kernel[J]. IEEE Transactions on Information Forensics and Security, 2022, 18: 533-548.
[26] Lattner C, Adve V. LLVM: A compilation framework for lifelong program analysis & transformation[C]//International symposium on code generation and optimization, 2004. CGO 2004. IEEE, 2004: 75-86.
[27] Vyukov D. Syzkaller: an unsupervised, coverage-guide d kernel fuzzer[EB/OL]. [2023-11-03]. https://github.c om/google/syzkaller.
[28] Tan X, Zhang Y, Lu J, et al. Syzdirect: directed greybox fuzzing for linux kernel[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023: 1630-1644.
[29] Lu K, Hu H. Where does it go? refining indirect-call targets with multi-layer type analysis[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 1867-1881.
[30] SECURITY O. Exploit database[EB/OL]. [2023-11-03]. https://www.exploit-db.com/.
[31] Jiang Z, Zhang Y, Xu J, et al. Aem: facilitating cross-version exploitability assessment of linux kernel vulnerabilities[C]//2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023: 2122-2137.
[32] National Vulnerability Database. CVE-2018-6555[EB/O L]. [2023-11-03]. https://nvd.nist.gov/vuln/detail/CVE-2 018-6555.

Please choose a citation manager

Content to export