1 00:00:11,080 --> 00:00:15,160 thank you for the introduction good 2 00:00:13,510 --> 00:00:17,800 afternoon thank you for coming to my 3 00:00:15,160 --> 00:00:19,420 session my name is Wei Wu I'm from 4 00:00:17,800 --> 00:00:22,480 Institute of information engineer 5 00:00:19,420 --> 00:00:23,470 Chinese Academy of Sciences this is the 6 00:00:22,480 --> 00:00:26,860 joint work with the Penn State 7 00:00:23,470 --> 00:00:29,950 University OS Colonels are reading 8 00:00:26,860 --> 00:00:32,379 low-level language like C and C++ large 9 00:00:29,950 --> 00:00:35,800 program retaining low-level language I 10 00:00:32,380 --> 00:00:38,649 inevitably to have bugs such as Obi 11 00:00:35,800 --> 00:00:40,260 access you will have data risk and even 12 00:00:38,649 --> 00:00:42,820 type of confusion vulnerabilities 13 00:00:40,260 --> 00:00:45,640 thousands of kernel bugs I reported last 14 00:00:42,820 --> 00:00:48,359 year and some of the bugs are very 15 00:00:45,640 --> 00:00:51,550 dangerous because they are exploitable 16 00:00:48,359 --> 00:00:54,010 protect OS kernels we have a lot of 17 00:00:51,550 --> 00:00:57,760 mitigations mitigation makes the 18 00:00:54,010 --> 00:00:59,530 exploitation harder actually Expo bility 19 00:00:57,760 --> 00:01:01,629 for each pack is a predicate about 20 00:00:59,530 --> 00:01:04,300 whether and how easily it could be 21 00:01:01,629 --> 00:01:07,210 exploited under the constraints of a set 22 00:01:04,300 --> 00:01:10,390 of exploit mitigations to get a good 23 00:01:07,210 --> 00:01:13,780 proof of the expo bility we need to give 24 00:01:10,390 --> 00:01:15,790 concrete kernel exploit to generate the 25 00:01:13,780 --> 00:01:18,640 concrete at kernel export we have 26 00:01:15,790 --> 00:01:20,890 automatic export generation systems the 27 00:01:18,640 --> 00:01:24,030 workflow behind AG system usually 28 00:01:20,890 --> 00:01:27,460 consists of two steps in the first step 29 00:01:24,030 --> 00:01:30,670 the identified for primitive X for 30 00:01:27,460 --> 00:01:32,619 primitive is a machine State which 31 00:01:30,670 --> 00:01:36,670 somehow empowers an attacker to craft 32 00:01:32,620 --> 00:01:39,250 the export the second step of Ag system 33 00:01:36,670 --> 00:01:41,200 is to evaluate whether this exploit 34 00:01:39,250 --> 00:01:43,600 primitive could really be used to 35 00:01:41,200 --> 00:01:45,430 generate the concrete export depending 36 00:01:43,600 --> 00:01:48,369 on the type of available X word print 37 00:01:45,430 --> 00:01:51,580 primitive we choose different exported 38 00:01:48,370 --> 00:01:53,050 techniques to finish the export control 39 00:01:51,580 --> 00:01:55,690 flow hijacking is one of the most 40 00:01:53,050 --> 00:01:58,720 popular export primitive many Oxbow 41 00:01:55,690 --> 00:02:02,770 techniques have been developed for post 42 00:01:58,720 --> 00:02:04,780 to control flow hijacking to craft the 43 00:02:02,770 --> 00:02:06,910 control flow hijacking ax voice before 44 00:02:04,780 --> 00:02:10,030 triggering the vulnerability the first 45 00:02:06,910 --> 00:02:12,430 step is adjusting the system course and 46 00:02:10,030 --> 00:02:15,610 the parameters and the map in a POC 47 00:02:12,430 --> 00:02:17,530 to adjust the memory layout and battery 48 00:02:15,610 --> 00:02:20,530 or invulnerability could gather control 49 00:02:17,530 --> 00:02:22,680 flow hijacking primitive after the last 50 00:02:20,530 --> 00:02:24,600 tab is executing as protection payload 51 00:02:22,680 --> 00:02:26,490 we have full payload 52 00:02:24,600 --> 00:02:28,920 Sushil called a retirement hit the 53 00:02:26,490 --> 00:02:30,260 programming that many research works 54 00:02:28,920 --> 00:02:33,299 tackling these challenges 55 00:02:30,260 --> 00:02:36,600 the question is despite a long list of 56 00:02:33,300 --> 00:02:40,170 existing tools it is really easy to be 57 00:02:36,600 --> 00:02:41,489 able to execute arbitrary Rock pedal in 58 00:02:40,170 --> 00:02:44,220 Linux kernel with a control flow 59 00:02:41,490 --> 00:02:46,620 hijacking primitive to answer the 60 00:02:44,220 --> 00:02:50,730 question let's take a closer look into a 61 00:02:46,620 --> 00:02:52,140 key step during the expectation among 62 00:02:50,730 --> 00:02:54,329 hand at the side of the control flow 63 00:02:52,140 --> 00:02:57,359 hijacking at the showing in kernel state 64 00:02:54,330 --> 00:03:00,540 as the program counter is on our control 65 00:02:57,360 --> 00:03:03,780 the stack pointer is not on the other 66 00:03:00,540 --> 00:03:06,900 hand to use return rented programming to 67 00:03:03,780 --> 00:03:09,420 execute except expectation payload we 68 00:03:06,900 --> 00:03:12,600 have to construct a new kernel state s 69 00:03:09,420 --> 00:03:16,230 prime the new in the new chrono state 70 00:03:12,600 --> 00:03:18,060 state not only the program counter but 71 00:03:16,230 --> 00:03:20,940 also the stack pointer is controllable 72 00:03:18,060 --> 00:03:23,190 so we can execute Rob payload to for 73 00:03:20,940 --> 00:03:25,829 example escalating the privilege to root 74 00:03:23,190 --> 00:03:27,930 fixing the memory corruption safely 75 00:03:25,830 --> 00:03:28,850 returning to user space and launching a 76 00:03:27,930 --> 00:03:32,730 root shell 77 00:03:28,850 --> 00:03:34,590 the remaining problem is how to 78 00:03:32,730 --> 00:03:38,790 construct the transition from state 79 00:03:34,590 --> 00:03:40,170 asset to state s prime the transition at 80 00:03:38,790 --> 00:03:42,630 the first glance seems quite 81 00:03:40,170 --> 00:03:45,750 straightforward to experienced hackers 82 00:03:42,630 --> 00:03:50,460 but sometimes we have trouble in this in 83 00:03:45,750 --> 00:03:52,680 the step in ask next few slides I will 84 00:03:50,460 --> 00:03:57,420 explain the challenges for the Rob 85 00:03:52,680 --> 00:04:01,440 bootstrapping task the first challenges 86 00:03:57,420 --> 00:04:03,780 exploited primitive mitigations a buggy 87 00:04:01,440 --> 00:04:07,200 in kernel may lead to crafted code 88 00:04:03,780 --> 00:04:09,570 pointers and dead pointers hijacking 89 00:04:07,200 --> 00:04:12,000 corrupted code pointer to execute user 90 00:04:09,570 --> 00:04:15,450 space share code is blocked by 91 00:04:12,000 --> 00:04:19,140 SME hijacking kernel sensitive dead 92 00:04:15,450 --> 00:04:23,370 pointer to user space is blocked by SM 93 00:04:19,140 --> 00:04:25,289 maybe the return to dia attack hijacks a 94 00:04:23,370 --> 00:04:28,290 corrupted code pointer to execute your 95 00:04:25,290 --> 00:04:32,190 code in feed map however this XY 96 00:04:28,290 --> 00:04:35,250 technique is blocked by marking memory 97 00:04:32,190 --> 00:04:37,050 pages in his map as now executable to 98 00:04:35,250 --> 00:04:39,810 overcome as a media as well 99 00:04:37,050 --> 00:04:41,699 maybe another export technique tries to 100 00:04:39,810 --> 00:04:44,160 modify the control registers therefore 101 00:04:41,699 --> 00:04:46,500 but they were in out two bits in this 102 00:04:44,160 --> 00:04:50,099 register an attacker could attend of 103 00:04:46,500 --> 00:04:52,949 post protections however such attempt to 104 00:04:50,099 --> 00:04:56,400 over rather control registers could be 105 00:04:52,949 --> 00:04:58,550 easily detected by by the virtualization 106 00:04:56,400 --> 00:05:00,960 based hypervisor 107 00:04:58,550 --> 00:05:04,139 the attempt to over rather control a 108 00:05:00,960 --> 00:05:06,659 disturbed could we will trigger a VM 109 00:05:04,139 --> 00:05:09,150 exit signal and the hybrid I could 110 00:05:06,659 --> 00:05:11,250 handle the situation recently some mad 111 00:05:09,150 --> 00:05:13,590 hackers also come up with new expedition 112 00:05:11,250 --> 00:05:15,300 cuts for example the kernel function 113 00:05:13,590 --> 00:05:17,758 call use a motor here per could 114 00:05:15,300 --> 00:05:21,409 facilitate exploitation by invoking a 115 00:05:17,759 --> 00:05:24,840 user root process by executing arbitrary 116 00:05:21,409 --> 00:05:28,169 binaries however it is also eliminated 117 00:05:24,840 --> 00:05:32,369 by a kernel patch which only allows the 118 00:05:28,169 --> 00:05:33,930 execution of whitelist the binary the 119 00:05:32,370 --> 00:05:36,840 second challenge is how to handle your 120 00:05:33,930 --> 00:05:39,360 Sunita explore primitive as we mentioned 121 00:05:36,840 --> 00:05:40,770 before a common Expo technique is to 122 00:05:39,360 --> 00:05:42,990 appear with the kernel stack to either 123 00:05:40,770 --> 00:05:45,750 space with gadget as a showing the 124 00:05:42,990 --> 00:05:48,750 figures of the gaseous exchange reacts 125 00:05:45,750 --> 00:05:50,370 with ESP and a return but unfortunately 126 00:05:48,750 --> 00:05:53,009 it is blocked bias and maybe because a 127 00:05:50,370 --> 00:05:55,349 new stack is in user space alternatively 128 00:05:53,009 --> 00:05:57,539 one may think of finance data pivoting 129 00:05:55,349 --> 00:06:00,270 gadgets inside kernel space such as the 130 00:05:57,539 --> 00:06:02,130 exchange idea with a SP and a return so 131 00:06:00,270 --> 00:06:04,650 we compute stack pointer to a fixed tag 132 00:06:02,130 --> 00:06:08,159 in kernel space however in practice such 133 00:06:04,650 --> 00:06:10,650 gadgets sometimes does not exist another 134 00:06:08,159 --> 00:06:13,590 limitation is lack of control of general 135 00:06:10,650 --> 00:06:15,948 registers for example using copy from 136 00:06:13,590 --> 00:06:19,198 user to copy Rob change to current 137 00:06:15,949 --> 00:06:20,819 kernel stack frame but it is still 138 00:06:19,199 --> 00:06:23,219 challenged because the lack of control 139 00:06:20,819 --> 00:06:26,400 registers copy from user requires 140 00:06:23,219 --> 00:06:29,699 controlling story parameters but usually 141 00:06:26,400 --> 00:06:31,109 we only control one of them the last 142 00:06:29,699 --> 00:06:34,620 challenge is export 143 00:06:31,110 --> 00:06:36,960 exploit pass pitfall to understand the 144 00:06:34,620 --> 00:06:39,599 challenge let's look into another common 145 00:06:36,960 --> 00:06:40,219 practice in exploitive element the expo 146 00:06:39,599 --> 00:06:42,479 technique 147 00:06:40,219 --> 00:06:45,479 triggers a vulnerability for multiple 148 00:06:42,479 --> 00:06:48,060 times and I at each time the axial part 149 00:06:45,479 --> 00:06:50,030 of the pillow such practice under the 150 00:06:48,060 --> 00:06:52,280 context of some vulnerabilities 151 00:06:50,030 --> 00:06:54,679 could dramatically decrease the success 152 00:06:52,280 --> 00:06:57,409 ratio of an exploit this is because 153 00:06:54,680 --> 00:06:59,060 memory corruption could happen 154 00:06:57,410 --> 00:07:01,520 simultaneously with a control flow 155 00:06:59,060 --> 00:07:05,810 hijacking primitive and the kernel to 156 00:07:01,520 --> 00:07:07,430 dereference an invalid address during 157 00:07:05,810 --> 00:07:08,600 the process to return into user space 158 00:07:07,430 --> 00:07:13,070 and the trigger the invulnerability 159 00:07:08,600 --> 00:07:14,930 again to tackle these challenges and 160 00:07:13,070 --> 00:07:17,480 ideal solutions to circumvent this 161 00:07:14,930 --> 00:07:19,760 exploit the past pitfall to do that we 162 00:07:17,480 --> 00:07:22,070 could adopt a single-shot exploitation 163 00:07:19,760 --> 00:07:26,120 which is similar to the so called magic 164 00:07:22,070 --> 00:07:27,770 gadget in users base exploitation as he 165 00:07:26,120 --> 00:07:29,419 is shown in the figure the single shot 166 00:07:27,770 --> 00:07:31,060 of exploitation redirects the control 167 00:07:29,419 --> 00:07:33,830 flow to smash the kernel stack and 168 00:07:31,060 --> 00:07:35,660 execute arbitrary Rob Chan without 169 00:07:33,830 --> 00:07:37,969 stretching a control flow hijacking 170 00:07:35,660 --> 00:07:43,820 primitive twice and the details of 171 00:07:37,970 --> 00:07:46,010 potential exploit past pitfall having 172 00:07:43,820 --> 00:07:48,169 these challenges in mind let's look into 173 00:07:46,010 --> 00:07:51,190 how Kepler achieved a one-shot 174 00:07:48,169 --> 00:07:53,990 exploitation our first introduced 175 00:07:51,190 --> 00:07:57,110 one-shot exploitation at high level of 176 00:07:53,990 --> 00:08:00,650 data let's look into the details of its 177 00:07:57,110 --> 00:08:03,080 basic building blocks to understand the 178 00:08:00,650 --> 00:08:04,880 design of Kepler let's first go over 179 00:08:03,080 --> 00:08:07,729 that this design of the single shot 180 00:08:04,880 --> 00:08:09,110 exploitation at high level starting from 181 00:08:07,729 --> 00:08:12,469 the initial control flow hijae 182 00:08:09,110 --> 00:08:14,140 confirmative the first step is to direct 183 00:08:12,470 --> 00:08:17,270 a control flow to execute a function 184 00:08:14,140 --> 00:08:20,360 called blooming gadget to increase the 185 00:08:17,270 --> 00:08:22,700 control of general registers the second 186 00:08:20,360 --> 00:08:23,860 step is to direct the control flow to 187 00:08:22,700 --> 00:08:27,140 the breeding gadget 188 00:08:23,860 --> 00:08:29,930 breeding gadget banks to control flow 189 00:08:27,140 --> 00:08:32,960 rejection primitive the first one is 190 00:08:29,930 --> 00:08:35,659 used to leak stagger canary so the 191 00:08:32,960 --> 00:08:38,960 combination of auxiliary gadget and his 192 00:08:35,659 --> 00:08:40,838 closure gadget and the second one is 193 00:08:38,960 --> 00:08:43,630 used to construct a stack overflow 194 00:08:40,839 --> 00:08:47,600 against the current kernel stack frame 195 00:08:43,630 --> 00:08:50,960 with a visual Rob payload as well as the 196 00:08:47,600 --> 00:08:52,700 stack economy we just leaked finally we 197 00:08:50,960 --> 00:08:55,070 could reach a virtual Rob payload 198 00:08:52,700 --> 00:08:56,810 execution we choose Rob because it's 199 00:08:55,070 --> 00:08:58,940 true and complete in the necks of 200 00:08:56,810 --> 00:09:01,930 useless I will describe these building 201 00:08:58,940 --> 00:09:01,930 blocks in detail 202 00:09:02,010 --> 00:09:07,170 the core building blocks of Kepler is a 203 00:09:04,740 --> 00:09:09,240 stack smashing gadget stack smashing 204 00:09:07,170 --> 00:09:12,300 gadgets are you location size of func 205 00:09:09,240 --> 00:09:14,730 function copy from user copy from user 206 00:09:12,300 --> 00:09:17,790 is a data channel between users based on 207 00:09:14,730 --> 00:09:20,970 the kernel the destination of copy from 208 00:09:17,790 --> 00:09:23,430 user is usually a local variable on 209 00:09:20,970 --> 00:09:25,560 kernel stack this is great for 210 00:09:23,430 --> 00:09:27,359 exploitation because we can you reduce 211 00:09:25,560 --> 00:09:28,949 the coincides our coffee phone user to 212 00:09:27,360 --> 00:09:31,050 set the register at the height accounts 213 00:09:28,950 --> 00:09:34,500 kernel stack frame without knowing its 214 00:09:31,050 --> 00:09:37,290 precise address as shown in the right 215 00:09:34,500 --> 00:09:40,140 hand side code the destination buffer is 216 00:09:37,290 --> 00:09:43,199 a local variable another interesting 217 00:09:40,140 --> 00:09:46,050 code style is saving invocation of a 218 00:09:43,200 --> 00:09:47,700 copy from user to make kernel code more 219 00:09:46,050 --> 00:09:50,040 robust the return value of copy from 220 00:09:47,700 --> 00:09:52,650 user is checked if an error occurs 221 00:09:50,040 --> 00:09:56,069 during the new location of a user the 222 00:09:52,650 --> 00:10:00,449 function will return immediately and a 223 00:09:56,070 --> 00:10:02,010 start executing our Rob payload to force 224 00:10:00,450 --> 00:10:04,500 function copy from user to return a 225 00:10:02,010 --> 00:10:08,490 nonzero value we could construct a page 226 00:10:04,500 --> 00:10:10,590 paid for during a copy process the plan 227 00:10:08,490 --> 00:10:13,010 sounds good but a kernel panic because 228 00:10:10,590 --> 00:10:17,070 the kernel is protected by stare economy 229 00:10:13,010 --> 00:10:19,470 and another problem is we do not control 230 00:10:17,070 --> 00:10:24,090 the source address and the size of the 231 00:10:19,470 --> 00:10:26,790 copy as first to take care of the stare 232 00:10:24,090 --> 00:10:29,250 canary cover uses another family of 233 00:10:26,790 --> 00:10:31,890 gadgets called active disclosure gadgets 234 00:10:29,250 --> 00:10:34,860 similar to the previously mentioned the 235 00:10:31,890 --> 00:10:37,230 stack smashing gadget the ability to 236 00:10:34,860 --> 00:10:40,290 leak canary is empowered by the kernel 237 00:10:37,230 --> 00:10:42,470 function capital user the function copy 238 00:10:40,290 --> 00:10:45,329 to user also takes three arguments 239 00:10:42,470 --> 00:10:47,130 negating destination source and length 240 00:10:45,330 --> 00:10:50,310 of the data to copy find kernel to use 241 00:10:47,130 --> 00:10:52,650 our space as showing the curved listing 242 00:10:50,310 --> 00:10:55,469 if the kernel function copy to user 243 00:10:52,650 --> 00:10:58,140 returns and down zero value the caller 244 00:10:55,470 --> 00:11:01,230 function gets time of the day will 245 00:10:58,140 --> 00:11:03,090 returns an error immediately and by 246 00:11:01,230 --> 00:11:05,670 redirecting the kind of load to before 247 00:11:03,090 --> 00:11:07,500 the call incisal copy to user we can set 248 00:11:05,670 --> 00:11:10,079 the source buffer to kernel stack and 249 00:11:07,500 --> 00:11:12,270 foster conservative execution to take 250 00:11:10,080 --> 00:11:14,260 shorter return pass by constructing a 251 00:11:12,270 --> 00:11:16,390 paid fault 252 00:11:14,260 --> 00:11:18,730 however the problem here is the color of 253 00:11:16,390 --> 00:11:21,340 a copy to user is also protected by a 254 00:11:18,730 --> 00:11:23,980 stack cannery to pass this dagger 255 00:11:21,340 --> 00:11:27,910 currently successfully and returned we 256 00:11:23,980 --> 00:11:30,490 needed the aquaszero function gadget the 257 00:11:27,910 --> 00:11:33,250 basic idea of auxiliary gadget is 258 00:11:30,490 --> 00:11:36,070 straightforward kernel performs can we 259 00:11:33,250 --> 00:11:38,410 check in function epilogue it it just 260 00:11:36,070 --> 00:11:40,840 wants the legal canary before the return 261 00:11:38,410 --> 00:11:43,930 address so it could just give it one to 262 00:11:40,840 --> 00:11:46,570 make it happy to do that we first direct 263 00:11:43,930 --> 00:11:48,520 the execution to the oxalate auxiliary 264 00:11:46,570 --> 00:11:51,220 function gadget which creates a fixed 265 00:11:48,520 --> 00:11:54,880 stack frame and stores a stack canary 266 00:11:51,220 --> 00:11:57,340 before I return address we make sure the 267 00:11:54,880 --> 00:12:01,689 stack frame is of the same size of the 268 00:11:57,340 --> 00:12:03,880 caller function of copy to user there is 269 00:12:01,690 --> 00:12:05,320 an internal call Khazaria function the 270 00:12:03,880 --> 00:12:08,320 target of endeavor the call is 271 00:12:05,320 --> 00:12:10,150 controllable we read agree with 272 00:12:08,320 --> 00:12:12,160 redirected control flow to canary 273 00:12:10,150 --> 00:12:13,990 disclosure gadget when the canary 274 00:12:12,160 --> 00:12:18,189 disclosure gadget fails to copy the last 275 00:12:13,990 --> 00:12:21,910 part and it returns is where finds it 276 00:12:18,190 --> 00:12:23,770 were finds it were a final canary 277 00:12:21,910 --> 00:12:25,750 stalled by all the wreckage and all 278 00:12:23,770 --> 00:12:28,270 functions in the same kernel should 279 00:12:25,750 --> 00:12:31,450 share the same stack kernel kernel has 280 00:12:28,270 --> 00:12:32,740 no reason to reject our turn at the 281 00:12:31,450 --> 00:12:35,170 mention before to invoked function 282 00:12:32,740 --> 00:12:37,150 gadgets like a copy file and copy to 283 00:12:35,170 --> 00:12:39,969 user we need to control more registers 284 00:12:37,150 --> 00:12:41,680 so the last we use blooming gadget the 285 00:12:39,970 --> 00:12:44,320 code of Linux kernel sometimes is 286 00:12:41,680 --> 00:12:47,770 similar to object-oriented programming 287 00:12:44,320 --> 00:12:50,410 the serf object is usually passed as the 288 00:12:47,770 --> 00:12:53,740 first parameter and it is the reference 289 00:12:50,410 --> 00:12:58,000 for target and parameters of an integral 290 00:12:53,740 --> 00:13:00,040 code as shown in the code listing the 291 00:12:58,000 --> 00:13:02,440 function accepts pointer to the VMA 292 00:13:00,040 --> 00:13:04,870 object vma's dereference the multiple 293 00:13:02,440 --> 00:13:07,840 times to fall together target and the 294 00:13:04,870 --> 00:13:11,550 parameters of an indirect call giving 295 00:13:07,840 --> 00:13:14,260 the VMA points to a controllable region 296 00:13:11,550 --> 00:13:16,750 we can get a better state through the 297 00:13:14,260 --> 00:13:18,520 gadget in the new state we are good to 298 00:13:16,750 --> 00:13:24,370 use function gadget because we control 299 00:13:18,520 --> 00:13:26,439 three registers parameters in order to 300 00:13:24,370 --> 00:13:29,620 combine the operations of disclosing 301 00:13:26,440 --> 00:13:31,870 their canary and the smashing stack into 302 00:13:29,620 --> 00:13:35,020 a single shot we needed the assistance 303 00:13:31,870 --> 00:13:37,180 of bridging gadgets breeding gadget a 304 00:13:35,020 --> 00:13:40,270 kernel functions containing multiple 305 00:13:37,180 --> 00:13:42,550 controllable in the articles breeding 306 00:13:40,270 --> 00:13:44,920 gases burns to opportunity to hijack a 307 00:13:42,550 --> 00:13:47,290 control flow we can combine the 308 00:13:44,920 --> 00:13:50,110 operations of canary liquor and the 309 00:13:47,290 --> 00:13:51,130 stack overflow into a single shot for 310 00:13:50,110 --> 00:13:54,010 example function 311 00:13:51,130 --> 00:13:58,300 reg cosmic dirty is a bridging gadget 312 00:13:54,010 --> 00:14:00,430 which performs two in our call if we 313 00:13:58,300 --> 00:14:03,189 left the map points to the fist map 314 00:14:00,430 --> 00:14:05,650 region under our control we can use the 315 00:14:03,190 --> 00:14:07,450 in diverter call look to execute 316 00:14:05,650 --> 00:14:09,699 auxiliary and the disclosure gadget 317 00:14:07,450 --> 00:14:12,220 ridiculous that canary and use a second 318 00:14:09,700 --> 00:14:16,420 interval call unlock code to execute the 319 00:14:12,220 --> 00:14:18,550 text merging gadget the implementation 320 00:14:16,420 --> 00:14:21,579 Kepler contains two modules the first 321 00:14:18,550 --> 00:14:23,560 module is a stated analysis module we 322 00:14:21,580 --> 00:14:26,850 collect the candidate graduate through 323 00:14:23,560 --> 00:14:30,250 static analysis plaguing belong at a pro 324 00:14:26,850 --> 00:14:32,890 in the second module we convert the 325 00:14:30,250 --> 00:14:35,590 export chain identification at the 326 00:14:32,890 --> 00:14:40,270 research problem over the candidate 327 00:14:35,590 --> 00:14:42,840 gadgets the search tree contains five 328 00:14:40,270 --> 00:14:46,689 steps corresponding to the previous cust 329 00:14:42,840 --> 00:14:49,120 building blocks we also employ multiple 330 00:14:46,690 --> 00:14:52,510 workers to explore the search space 331 00:14:49,120 --> 00:14:55,540 concurrently the gadget teaching engine 332 00:14:52,510 --> 00:14:58,410 is built our anger to prune the search 333 00:14:55,540 --> 00:15:00,849 space will perform constraints 334 00:14:58,410 --> 00:15:03,790 satisfiability check at multiple key 335 00:15:00,850 --> 00:15:06,340 locations we mitigate state explosion by 336 00:15:03,790 --> 00:15:09,069 setting stretch hold of the maximal step 337 00:15:06,340 --> 00:15:13,660 in each stage and the maximum time of 338 00:15:09,070 --> 00:15:17,650 entering a dupe to evaluate the capture 339 00:15:13,660 --> 00:15:20,410 we collected 16 CVS and Sri city of 340 00:15:17,650 --> 00:15:21,730 challenges about Linux kernel this 341 00:15:20,410 --> 00:15:25,150 vulnerability are known to be 342 00:15:21,730 --> 00:15:28,030 control-flow ejectable including OB 343 00:15:25,150 --> 00:15:31,780 excess use a free double free indoor 344 00:15:28,030 --> 00:15:34,150 flow and I initialized the use the table 345 00:15:31,780 --> 00:15:36,550 shows weather Kevlar and the uses in 346 00:15:34,150 --> 00:15:38,699 tools could generate expose for our own 347 00:15:36,550 --> 00:15:41,949 ability 348 00:15:38,699 --> 00:15:44,978 Kepler generate exploited for 17 out of 349 00:15:41,949 --> 00:15:47,738 19 bucks and it out firmly existing 350 00:15:44,979 --> 00:15:50,229 export hardening tools because Kepler 351 00:15:47,739 --> 00:15:52,419 has a capability of bypassing widely 352 00:15:50,229 --> 00:15:54,489 deployed kernel mitigations and to not 353 00:15:52,419 --> 00:15:58,529 rely on stack a pivoting gadget or 354 00:15:54,489 --> 00:16:00,819 triggering a bug for multiple times 355 00:15:58,529 --> 00:16:03,339 Kepler could also find many different 356 00:16:00,819 --> 00:16:05,529 expeditions from the right hand side 357 00:16:03,339 --> 00:16:07,689 figure we can find a number of different 358 00:16:05,529 --> 00:16:10,929 candidate gadgets for each vulnerability 359 00:16:07,689 --> 00:16:12,879 the time to find the first exploitation 360 00:16:10,929 --> 00:16:16,119 channel as well as the time to finish 361 00:16:12,879 --> 00:16:18,839 the search the total number of 362 00:16:16,119 --> 00:16:23,289 identified X what Chinese also listed 363 00:16:18,839 --> 00:16:27,039 Kepler could find the first X / Chan in 364 00:16:23,289 --> 00:16:29,699 50 more o'clock minutes and the in total 365 00:16:27,039 --> 00:16:32,799 tens of thousands of exploit chance 366 00:16:29,699 --> 00:16:35,858 the exposed change generated is a hard 367 00:16:32,799 --> 00:16:37,978 to defeat because this function cages 368 00:16:35,859 --> 00:16:42,849 used by Kepler could not be easily 369 00:16:37,979 --> 00:16:44,829 removed from the kernel in summary we 370 00:16:42,849 --> 00:16:48,159 propose the single-shot x protection 371 00:16:44,829 --> 00:16:51,098 technique it is an effective and a 372 00:16:48,159 --> 00:16:53,489 generic kernel exportation technique we 373 00:16:51,099 --> 00:16:55,149 implemented Kepler to facilitate 374 00:16:53,489 --> 00:16:57,879 identification of single-shot 375 00:16:55,149 --> 00:17:00,219 exploitation and we open-source the tool 376 00:16:57,879 --> 00:17:03,600 to prevent control-flow hijacking 377 00:17:00,219 --> 00:17:07,119 attacks see if I could solutions with 378 00:17:03,600 --> 00:17:10,179 low overhead should be considered and 379 00:17:07,118 --> 00:17:14,168 widely deployed for a major release of 380 00:17:10,179 --> 00:17:18,990 Linux kernels thank you for attention 381 00:17:14,169 --> 00:17:18,990 and I'm ready for questions 382 00:17:23,599 --> 00:17:27,928 all right well one of those 383 00:17:25,919 --> 00:17:30,090 questionnaires come on up 384 00:17:27,929 --> 00:17:33,919 I'm interested to know a little bit 385 00:17:30,090 --> 00:17:36,209 about the robustness of the kind of 386 00:17:33,919 --> 00:17:37,529 susceptibility to like the single shot 387 00:17:36,210 --> 00:17:39,289 right so what happens if you did like 388 00:17:37,529 --> 00:17:41,720 something like fine-grained 389 00:17:39,289 --> 00:17:45,809 randomization at a function granularity 390 00:17:41,720 --> 00:17:49,080 would that be problematic or if there is 391 00:17:45,809 --> 00:17:51,450 a randomization like okay yeah we needed 392 00:17:49,080 --> 00:17:55,070 the cooperation of an info Dieker 393 00:17:51,450 --> 00:17:57,359 vulnerability so that we can dig the 394 00:17:55,070 --> 00:18:00,119 address of the gadget that we need to 395 00:17:57,359 --> 00:18:04,470 use the index rotation for fine so more 396 00:18:00,119 --> 00:18:07,049 fine-grain the randomization I didn't 397 00:18:04,470 --> 00:18:10,889 see implementation for Linux kernel so I 398 00:18:07,049 --> 00:18:12,690 cannot draw and in conclusion okay but 399 00:18:10,889 --> 00:18:14,100 something that did fine grained we 400 00:18:12,690 --> 00:18:15,739 randomized ation would probably be a 401 00:18:14,100 --> 00:18:18,689 little bit challenging yeah 402 00:18:15,739 --> 00:18:29,820 randomization okay it's beautiful very 403 00:18:18,690 --> 00:18:32,759 challenging we can't hear you so thanks 404 00:18:29,820 --> 00:18:36,389 sorry hi my name is David from UC Irvine 405 00:18:32,759 --> 00:18:41,399 a great talk which versions of Linux did 406 00:18:36,389 --> 00:18:44,158 you look at me which kernel versions did 407 00:18:41,399 --> 00:18:49,379 you look at the latest version of the 408 00:18:44,159 --> 00:18:51,149 kernel yeah it's the 4.15 yeah at the 409 00:18:49,379 --> 00:18:55,469 time of the writing of the paper it is 410 00:18:51,149 --> 00:18:59,418 the most recent UNIX kernel version did 411 00:18:55,470 --> 00:19:03,389 you look at any other words or only then 412 00:18:59,419 --> 00:19:06,230 after the after the projector I also use 413 00:19:03,389 --> 00:19:11,279 it easier to generate exploit for 414 00:19:06,230 --> 00:19:15,029 vulnerability in kernel 4.20 it also 415 00:19:11,279 --> 00:19:17,659 works in for 4.20 and for more recent of 416 00:19:15,029 --> 00:19:22,759 a version I have not have not tested yet 417 00:19:17,659 --> 00:19:22,759 okay cool thank you thank you 418 00:19:23,440 --> 00:19:29,690 go ahead yeah hi I'm Anne ill from IBM 419 00:19:27,740 --> 00:19:32,600 Research Zurich I had a question on your 420 00:19:29,690 --> 00:19:34,970 slide 19 I think just two slides before 421 00:19:32,600 --> 00:19:41,570 you have these numbers for the first 422 00:19:34,970 --> 00:19:43,670 chain time no the one before that so I 423 00:19:41,570 --> 00:19:47,210 can see for some of them there's a lot 424 00:19:43,670 --> 00:19:49,190 of repetitions of say 17 minutes is it 425 00:19:47,210 --> 00:19:50,900 because it finds the same exploit chain 426 00:19:49,190 --> 00:19:57,710 because the initial conditions are the 427 00:19:50,900 --> 00:19:59,930 same or asking about the time rod the 428 00:19:57,710 --> 00:20:01,700 total number of X were generated no the 429 00:19:59,930 --> 00:20:05,000 first chain the first chain minute I 430 00:20:01,700 --> 00:20:07,190 just noticed this so I was just 431 00:20:05,000 --> 00:20:09,560 wondering if you if you tend to find the 432 00:20:07,190 --> 00:20:11,540 same exploit change because of the same 433 00:20:09,560 --> 00:20:15,350 initial conditions that you have as 434 00:20:11,540 --> 00:20:17,570 you're basically as your restriction for 435 00:20:15,350 --> 00:20:21,290 your for finding your exploit change so 436 00:20:17,570 --> 00:20:25,399 how generic are the exploit change that 437 00:20:21,290 --> 00:20:28,070 you find is the overall question yeah 438 00:20:25,400 --> 00:20:30,020 yeah as we can see from the figures the 439 00:20:28,070 --> 00:20:31,580 number of Canada catches the foil for 440 00:20:30,020 --> 00:20:34,010 each vulnerability is different this 441 00:20:31,580 --> 00:20:37,730 this is this is because the context of 442 00:20:34,010 --> 00:20:39,950 each paddock is different you asked a 443 00:20:37,730 --> 00:20:43,130 very good question about the reusability 444 00:20:39,950 --> 00:20:45,410 of the generate a expose explore the 445 00:20:43,130 --> 00:20:49,910 trap but I have not to statistic about 446 00:20:45,410 --> 00:20:51,320 about the data you want so okay sorry 447 00:20:49,910 --> 00:20:52,370 all right once again let's think our 448 00:20:51,320 --> 00:20:57,540 speaker 449 00:20:52,370 --> 00:20:57,540 [Applause]