面向内核漏洞利用的堆喷对象控制代码自动化生成技术

doi:10.19678/j.issn.1000-3428.0068783

摘要/Abstract

摘要：

开发漏洞利用程序是评估内核漏洞可利用性的主要方式。堆喷对象在漏洞利用过程中被广泛使用, 以完成数据注入、内存布局等恶意行为。现有堆喷对象的研究忽略了基本类型的堆喷对象, 无法生成能够编辑堆喷对象内容的代码。为此, 提出面向内核漏洞利用的堆喷对象控制代码自动化生成技术。该技术包含了基于使用-定义链分析的堆喷对象识别和基于导向式模糊测试的堆喷对象控制代码生成。通过使用-定义链分析静态识别出目标内核中的堆喷对象及能够操控这些对象的关键代码位置; 将识别到的关键代码作为目标点, 利用导向式模糊测试技术动态生成目标堆喷对象的控制代码, 以辅助漏洞利用。实验结果表明, 该技术能够在Linux 5.15版本的内核中识别并生成28个堆喷对象的控制代码, 覆盖了现有研究识别到的所有堆喷对象。生成的控制代码中共有23个能控制堆喷对象完成预期目标, 成功率为82.1%。案例分析表明, 该技术生成的控制代码应用于真实内核漏洞的利用程序开发中。

关键词: 内核安全, 内核漏洞, 漏洞利用, 堆喷对象, 控制代码生成

Abstract:

Developing exploits for vulnerabilities is the primary method of evaluating the exploitability of kernel vulnerabilities. Heap spraying objects are widely used in the exploitation process to execute malicious behaviors, such as malicious content injection and memory layout manipulation. Currently, the basic types of heap spraying objects have received limited attention, and code that can edit the content of heap spraying objects has not been generated. Therefore, this paper proposes the automated technplogy for heap spraying objects manipulationg code for kernel vulnerabilities exploitation. This technology includes heap spraying object recognition based on usage-definition chain analysis and heap spraying object control code generation based on guided fuzzy testing. Usage-definition chain analysis is used to statically identify heap spraying objects within the target kernel and the key code positions that can manipulate these objects. Using the identified key codes as target points, guided fuzzy testing technology is applied to dynamically generate control codes for the target heap spraying object to assist in vulnerability exploitation. Experimental results show that the techniques can identify and generate the control code of 28 heap spraying objects in Linux 5.15, which covers all heap spraying objects identified in existing works. 23 generated codes can control the heap spraying object to achieve the expected target with a success rate of 82.1%. The case analysis shows that the manipulating code generated by these techniques can be used to exploit real-world kernel vulnerabilities.

Key words: kernel security, kernel vulnerability, vulnerability exploitation, heap spraying object, manipulating code generation

刘壮, 顾康正, 谈心, 张源. 面向内核漏洞利用的堆喷对象控制代码自动化生成技术[J]. 计算机工程, 2025, 51(4): 178-187.

LIU Zhuang, GU Kangzheng, TAN Xin, ZHANG Yuan. Automatic Generation of Code for Heap Spraying Object Manipulation Targeting Kernel Vulnerability Exploitation[J]. Computer Engineering, 2025, 51(4): 178-187.

https://www.ecice06.com/CN/Y2025/V51/I4/178

图/表 13

图1 堆喷对象示例

Fig.1 Example of heap spraying object

图2 UAF漏洞利用过程

Fig.2 Exploitation process of UAF vulnerability

图3 堆喷对象控制代码生成工作流程

Fig.3 Workflow of manipulating code generating for heap spraying objects

图4 内核中的1段代码

Fig.4 One piece of code in the kernel

图5 Linux内核中的分配函数

Fig.5 Allocation functions in Linux kernel

图6 Linux内核中的复制函数

Fig.6 Copy functions in Linux kernel

图7 标识信息

Fig.7 Identification information

图8 控制代码示例

Fig.8 Manipulating code example

图9 Linux内核中常用模块

Fig.9 General modules in Linux kernel

图10 内核中不同大小对象所在缓存区

Fig.10 The cache area where objects of different sizes are located in the kernel

图11 本文工具识别堆喷对象数量与已有研究对比

Fig.11 The number of heap spraying objects identified by this article′s tool compared with existing research

图12 案例分析

Fig.12 Case analysis

参考文献 32

1	CHEN Y Q, XING X Y. SLAKE: facilitating slab manipulation for exploiting vulnerabilities in the Linux kernel[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2019: 1707-1722.
2	刘剑, 苏璞睿, 杨珉, 等. 软件与网络安全研究综述. 软件学报, 2018, 29 (1): 42- 68.
	LIU J , SU P R , YANG M , et al. Software and cyber security-a survey. Journal of Software, 2018, 29 (1): 42- 68.
3	KEMERLIS V P, POLYCHRONAKIS M, KEROMYTIS A D. Ret2dir: rethinking kernel isolation[C]//Proceedings of the 23rd USENIX Conference on Security Symposium. New York, USA: ACM Press, 2014: 957-972.
4	JURCZYK M, COLDWIND G. SMEP: what is it, and how to beat it on Windows[EB/OL]. [2023-10-02]. https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/.
5	WIKIVERSITY. Supervisor mode access prevention[EB/OL]. [2023-10-02]. https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention.
6	KEMERLIS V P, PORTOKALIDIS G, KEROMYTIS A D. kGuard: lightweight kernel protection against return-to-user attacks[C]//Proceedings of the 21st USENIX Conference on Security Symposium. New York, USA: ACM Press, 2012: 459-474.
7	XU W, LI J R, SHU J L, et al. From collision to exploitation: unleashing use-after-free vulnerabilities in Linux kernel[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2015: 414-425.
8	LIN Z, WU Y, XING X. Dirtycred: escalating privilege in Linux kernel[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2022: 1963-1976.
9	AVGERINOS T , CHA S K , REBERT A , et al. Automatic exploit generation. Communications of the ACM, 2014, 57 (2): 74- 84. doi: 10.1145/2560217.2560219
10	赵尚儒, 李学俊, 方越, 等. 安全漏洞自动利用综述. 计算机研究与发展, 2019, 56 (10): 2097- 2111.
	ZHAO S R , LI X J , FANG Y , et al. A survey on automated exploit generation. Journal of Computer Research and Development, 2019, 56 (10): 2097- 2111.
11	冯光升, 张熠哲, 孙嘉钰, 等. 计算机系统漏洞自动化利用研究关键技术及进展. 信息网络安全, 2022, 22 (3): 39- 52.
	FENG G S , ZHANG Y Z , SUN J Y , et al. Key technologies and advances in the research on automated exploitation of computer system vulnerabilities. Netinfo Security, 2022, 22 (3): 39- 52.
12	张利群, 潘祖烈, 黄晖, 等. 基于符号执行的Tcache Poisoning堆漏洞自动验证方法研究. 计算机工程, 2023, 49 (6): 24- 33. URL
	ZHANG L Q , PAN Z L , HUANG H , et al. Research on automatic verification method of Tcache Poisoning heap vulnerability based on symbolic execution. Computer Engineering, 2023, 49 (6): 24- 33. URL
13	WU W, CHEN Y Q, XU J, et al. FUZE: towards facilitating exploit generation for kernel use-after-free vulnerabilities[C]//Proceedings of the 27th USENIX Conference on Security Symposium. New York, USA: ACM Press, 2018: 781-797.
14	CHEN W T, ZOU X C, LI G R, et al. KOOBE: towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities[C]//Proceedings of the 29th Conference on USENIX Security Symposium (USENIX Security 20). New York, USA: ACM Press, 2020: 1093-1110.
15	LU K J, WALTER M T, PFAFF D, et al. Unleashing use-before-initialization vulnerabilities in the Linux kernel using targeted stack spraying[EB/OL]. [2023-10-02]. https://www-users.cse.umn.edu/~kjlu/papers/tss.pdf.
16	CHO H, PARK J, KANG J, et al. Exploiting uses of uninitialized stack variables in Linux kernels to leak kernel pointers[C]//Proceedings of the 14th USENIX Workshop on Offensive Technologies. New York, USA: ACM Press, 2020: 123-129.
17	LIU D J , WANG P F , ZHOU X , et al. ERACE: toward facilitating exploit generation for kernel race vulnerabilities. Applied Sciences, 2022, 12 (23): 11925. doi: 10.3390/app122311925
18	LEE Y, MIN C, LEE B. ExpRace: exploiting kernel races through raising interrupts[C]//Proceedings of the 30th USENIX Conference on Security Symposium. New York, USA: ACM Press, 2021: 2363-2380.
19	LIN Z, CHEN Y, WU Y, et al. Grebe: unveiling exploitation potential for linux kernel bugs[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2022: 2078-2095.
20	ZOU X C, LI G R, CHEN W T, et al. SyzScope: revealing high-risk security impacts of fuzzer-exposed bugs in Linux kernel[C]//Proceedings of the 31st USENIX Conference on Security Symposium. New York, USA: ACM Press, 2022: 3201-3217.
21	WU W, CHEN Y Q, XING X Y, et al. KEPLER: facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities[C]//Proceedings of the 28th USENIX Security Symposium. New York, USA: ACM Press, 2019: 1187-1204.
22	ZENG K, CHEN Y, CHO H, et al. Playing for K (H) eaps: understanding and improving Linux kernel exploit reliability[C]//Proceedings of the 31st USENIX Security Symposium. New York, USA: ACM Press, 2022: 71-88.
23	LEE Y, KWAK J, KANG J, et al. Pspray: timing side-channel based Linux kernel heap exploitation technique[C]//Proceedings of the 32nd USENIX Security Symposium. New York, USA: ACM Press, 2023: 6825-6842.
24	CHEN Y Q, LIN Z P, XING X Y. A systematic study of elastic objects in kernel exploitation[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2020: 1165-1184.
25	LIU D , WANG P , ZHOU X , et al. From release to rebirth: exploiting Thanos objects in Linux kernel. IEEE Transactions on Information Forensics and Security, 2022, 18, 533- 548.
26	LATTNER C, ADVE V. LLVM: a compilation framework for lifelong program analysis&transformation[C]//Proceedings of International Symposium on Code Generation and Optimization. Washington D. C., USA: IEEE Press, 2004: 75-86.
27	VYUKOV D. Syzkaller: an unsupervised, coverage-guided kernel fuzzer[EB/OL]. [2023-10-02]. https://github.com/google/syzkaller.
28	TAN X, ZHANG Y, LU J, et al. SyzDirect: directed greybox fuzzing for Linux kernel[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2023: 1630-1644.
29	LU K J, HU H. Where does it go?refining indirect-call targets with multi-layer type analysis[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2019: 1867-1881.
30	SECURITY O. Exploit database[EB/OL]. [2023-10-02]. https://www.exploit-db.com/.
31	JIANG Z, ZHANG Y, XU J, et al. AEM: facilitating cross-version exploitability assessment of Linux kernel vulnerabilities[C]//Proceedings of 2023 IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2023: 2122-2137.
32	National Vulnerability Database. CVE-2018-6555[EB/OL]. [2023-10-02]. https://nvd.nist.gov/vuln/detail/CVE-2018-6555.

[1]	王炎,刘嘉勇,刘亮,贾鹏,刘露平. 漏洞利用工具研发框架研究[J]. 计算机工程, 2018, 44(3): 127-131.
[2]	吴伟民, 郭朝伟, 黄志伟, 苏庆, 陈秋伟. 基于Windows的结构化异常处理漏洞利用技术[J]. 计算机工程, 2012, 38(20): 5-8.
[3]	余俊松;张玉清;宋杨;刘奇旭. Windows下缓冲区溢出漏洞的利用[J]. 计算机工程, 2007, 33(17): 162-164.

选择文件类型/文献管理软件名称

选择包含的内容