Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel Bugs
Authors: 
Ziqin Liu, Zhenpeng Lin, Yueqi Chen, Yuhang Wu, Yalong Zou, Dongliang Mu, Xinyu XingAuthors Info & Claims
Ziqin Liu, Zhenpeng Lin, Yueqi Chen, Yuhang Wu, Yalong Zou, Dongliang Mu, Xinyu XingAuthors Info & ClaimsPages 93 - 109
Abstract
Nowadays, fuzz testing has significantly expedited the vulnerability discovery of Linux kernel. Security analysts use the manifested error behaviors to infer the exploitability of one bug and thus prioritize the patch development. However, only using an error behavior in the report, security analysts might underestimate the exploitability of the kernel bug because it could manifest various error behaviors indicating different exploitation potentials. In this work, we conduct an empirical study on multiple error behaviors of kernel bugs to understand 1) the prevalence of multiple error behaviors and the possible impact of multiple error behaviors towards the exploitation potential; 2) the factors that manifest multiple error behaviors with different exploitation potential. We collected <italic>all the fixed kernel bugs</italic> reported on Syzbot from September 2017 to January 2022, including 3,352 bug reports. We observed that multiple error behaviors manifested by kernel bugs are prevalent in the real world, and more error behaviors help unveil the exploitability of kernel bugs. Then we organized Linux kernel experts to analyze a sample of kernel bug dataset (484 bug reports, unique 162 bugs) and identified 6 key contributing factors to the mutiple error behaviors. Finally, based on the empirical findings, we propose an object-driven fuzzing technique to explore all possible error behaviors that a kernel bug might bring about. To evaluate the utility of our proposed technique, we implement our fuzzing tool <monospace>GREBE</monospace> and apply it to 60 real-world Linux kernel bugs. On average, <monospace>GREBE</monospace> could manifest 2+ additional error behaviors for each of the kernel bugs. For 26 kernel bugs, <monospace>GREBE</monospace> discovers higher exploitation potential. We report to kernel vendors some of the bugs – the exploitability of which was wrongly assessed and the corresponding patch has not yet been carefully applied – resulting in their rapid patch adoption.
References
[1]
Z. Lin et al., “GREBE: Unveiling exploitation potential for linux kernel bugs,” in Proc. IEEE 43th Symp. Secur. Privacy, 2022, pp. 2078–2095.
[2]
S. Team, “!exploitable crash analyzer version 1.6,” 2013.
[3]
B. J. Wever, “Bugid - Automated bug analysis,” 2017. [Online]. Available: https://prezi.com/caic9eqayy-o/bugid-automated-bug-analysis/
[4]
J. Vanegue, “In memory safety, the soundness of attacks is what matters,” 2020.
[5]
D. Vyukov, “Syzkaller,” 2020. [Online]. Available: https://github.com/google/syzkaller
[6]
S. Schumilo, C. Aschermann, R. Gawlik, S. Schinzel, and T. Holz, “kAFL: Hardware-assisted feedback fuzzing for OS kernels,” in Proc. 28th USENIX Secur. Symp., 2019, pp. 167–182.
[7]
T. Blazytko et al., “AURORA: Statistical crash analysis for automated root cause explanation,” in Proc. 28th USENIX Secur. Symp., 2020, Art. no.
[8]
Google, “syzbot,” 2020. [Online]. Available: https://syzkaller.appspot.com
[9]
Google, “KernelAddressSanitizer, a fast memory error detector for the linux kernel,” 2020. [Online]. Available: https://github.com/google/kasan
[10]
L. Kernel, “Submitting patches: The essential guide to getting your code into the kernel,” 2021. [Online]. Available: https://www.kernel.org/doc/html/v4.10/process/submitting-patches.html
[11]
ClusterFuzz, “Crash type in clusterfuzz,” 2019. [Online]. Available: https://google.github.io/clusterfuzz/reference/glossary/##crash-type
[12]
I. Abal, C. Brabrand, and A. Wasowski, “42 variability bugs in the linux kernel: A qualitative analysis,” in Proc. IEEE/ACM 29th Int. Conf. Autom. Softw. Eng., 2014, pp. 421–432.
[13]
L. Davi, D. Gens, C. Liebchen, and A.-R. Sadeghi, “PT-Rand: Practical mitigation of data-only attacks against page tables,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2017.
[14]
C. Song, B. Lee, K. Lu, W. Harris, T. Kim, and W. Lee, “Enforcing kernel security invariants with data flow integrity,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2016.
[15]
V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis, “Ret2dir: Rethinking kernel isolation,” in Proc. 23rd USENIX Conf. Secur. Symp., 2014, pp. 957–972.
[16]
W. Wu, Y. Chen, J. Xu, X. Xing, X. Gong, and W. Zou, “FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities,” in Proc. 27th USENIX Conf. Secur. Symp., 2018, pp. 781–797.
[17]
W. Wu, Y. Chen, X. Xing, and W. Zou, “KEPLER: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities,” in Proc. 28th USENIX Conf. Secur. Symp., 2019, pp. 1187–1204.
[18]
W. Chen, X. Zou, G. Li, and Z. Qian, “KOOBE: Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities,” in Proc. 29th USENIX Secur. Symp., 2020, Art. no.
[19]
S. Proskurin, M. Momeu, S. Ghavamnia, V. P. Kemerlis, and M. Polychronakis, “xMP: Selective memory protection for kernel and user space,” in Proc. IEEE Symp. Secur. Privacy, 2020, pp. 563–577.
[20]
A. Milburn, H. Bos, and C. Giuffrida, “SafeInit: Comprehensive and practical mitigation of uninitialized read vulnerabilities,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2017.
[21]
Z. Jiang et al., “PDiff: Semantic-based patch presence testing for downstream kernels,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2020, pp. 1149–1163.
[22]
Y. Chen and X. Xing, “SLAKE: Facilitating slab manipulation for exploiting vulnerabilities in the linux kernel,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2019, pp. 1707–1722.
[23]
Y. Chen, Z. Lin, and X. Xing, “A systematic study of elastic objects in kernel exploitation,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2020, pp. 1165–1184.
[24]
Z. Xu et al., “Automatic hot patch generation for android kernels,” in Proc. 29th USENIX Secur. Symp., 2020, Art. no.
[25]
syzbot, “general protection fault in hrtimer_active,” 2017. [Online]. Available: https://syzkaller.appspot.com/bug?id=5d3cce34cc09f722e859ae2037801f5b0d67c5c9
[26]
syzbot, “Kasan: Use-after-free read in free_netdev,” 2017. [Online]. Available: https://syzkaller.appspot.com/bug?id=e99ffcb23d080ae2c4790dfc229d32ce283f826f
[27]
K. Kim, D. R. Jeong, C. H. Kim, Y. Jang, I. Shin, and B. Lee, “HFL: Hybrid fuzzing on the linux kernel,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2020.
[28]
D. R. Jeong, K. Kim, B. Shivakumar, B. Lee, and I. Shin, “Razzer: Finding kernel race bugs through fuzzing,” in Proc. IEEE 40th Symp. Secur. Privacy, 2019, pp. 754–768.
[29]
S. Gong, D. Altinbüken, P. Fonseca, and P. Maniatis, “Snowboard: Finding kernel concurrency bugs through systematic inter-thread communication analysis,” in Proc. ACM SIGOPS 28th Symp. Operating Syst. Princ., 2021, pp. 66–83.
[30]
H. Chen et al., “MUZZ: Thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs,” in Proc. 29th USENIX Conf. Secur. Symp., 2020, Art. no.
[31]
Linux kernel design patterns - Part 2. 2009. [Online]. Available: https://lwn.net/Articles/336255/
[32]
S. Brin and L. Page, “The anatomy of a large-scale hypertextual web search engine,” 1998.
[33]
K. Lu and H. Hu, “Where does it go? Refining indirect-call targets with multi-layer type analysis,” in Proc. 26th ACM SIGSAC Conf. Comput. Commun. Secur., 2019, pp. 1867–1881.
[34]
Y. Chen, Z. Lin, and X. Xing, “A systematic study of elastic objects in kernel exploitation,” in Proc. 27th ACM SIGSAC Conf. Comput. Commun. Secur., 2020, pp. 1165–1184.
[35]
I. Ben-Gal, “Outlier detection,” in Data Mining and Knowledge Discovery Handbook, Berlin, Germany: Springer, 2005, pp. 131–146.
[36]
S. Pailoor, A. Aday, and S. Jana, “MoonShine: Optimizing OS fuzzer seed selection with trace distillation,” in Proc. 27th USENIX Secur. Symp., 2018, pp. 729–743.
[37]
syzbot, “WARNING: Refcount bug in crypto_mod_get,” 2020. [Online]. Available: https://syzkaller.appspot.com/bug?id=bdeea91ae259b3a42aa8ed8d8c91afd871eb5d80
[38]
syzbot, “WARNING: Refcount bug in nr_insert_socket,” 2019. [Online]. Available: https://syzkaller.appspot.com/bug?id=521a764b3fc8145496efa50600dfe2a67e49b90b
[39]
syzbot, “general protection fault in delayed_uprobe_remove,” 2019. [Online]. Available: https://syzkaller.appspot.com/bug?id=229e0b718232b004dfddaeac61d8d66990ed247a
[40]
Full performance results of syzkaller, syzkaller variant, grebe without mutation optimization and grebe. 2021. [Online]. Available: https://tinyurl.com/x9ky26ms
[41]
F. Li and V. Paxson, “A large-scale empirical study of security patches,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2017, pp. 2201–2215.
[42]
D. Mu et al., “Understanding the reproducibility of crowd-reported security vulnerabilities,” in Proc. 27th USENIX Secur. Symp., 2018, pp. 919–936.
[43]
H. Han and S. K. Cha, “IMF: Inferred model-based fuzzer,” in Proc. 24th ACM SIGSAC Conf. Comput. Commun. Secur., 2017, pp. 2345–2358.
[44]
J. Corina et al., “DIFUZE: Interface aware fuzzing for kernel drivers,” in Proc. 24th ACM SIGSAC Conf. Comput. Commun. Secur., 2017, pp. 2123–2138.
[45]
D. Song et al., “PeriScope: An effective probing and fuzzing framework for the hardware-os boundary,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2019.
[46]
M. Xu, S. Kashyap, H. Zhao, and T. Kim, “KRace: Data race fuzzing for kernel file systems,” in Proc. IEEE 41st Symp. Secur. Privacy, 2020, pp. 1643–1660.
[47]
W. You et al., “SemFuzz: Semantics-based automatic generation of proof-of-concept exploits,” in Proc. 24th ACM SIGSAC Conf. Comput. Commun. Secur., 2017, pp. 2139–2154.
[48]
W. Xu et al., “From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., 2015, pp. 414–425.
[49]
Y. Chen and X. Xing, “SLAKE: Facilitating slab manipulation for exploiting vulnerabilities in the linux kernel,” in Proc. 26th ACM SIGSAC Conf. Comput. Commun. Secur., 2019, pp. 1707–1722.
[50]
K. Lu, M.-T. Walter, D. Pfaff, S. Nürnberger, W. Lee, and M. Backes, “Unleashing use-before-initialization vulnerabilities in the linux kernel using targeted stack spraying,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2017.
[51]
H. Cho et al., “Exploiting uses of uninitialized stack variables in linux kernels to leak kernel pointers,” in Proc. 14th USENIX Workshop Offensive Technol., 2020, Art. no.
[52]
V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis, “ret2dir: Rethinking kernel isolation,” in Proc. 23rd USENIX Secur. Symp., 2014, pp. 957–972.
[53]
W. Wu, Y. Chen, X. Xing, and W. Zou, “KEPLER: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities,” in Proc. 28th USENIX Secur. Symp., 2019, pp. 1187–1204.
[54]
W. Wu, Y. Chen, J. Xu, X. Xing, W. Zou, and X. Gong, “FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities,” in Proc. 27th USENIX Secur. Symp., 2018, pp. 781–797.
[55]
W. Chen, X. Zou, G. Li, and Z. Qian, “KOOBE: Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities,” in Proc. 29th USENIX Secur. Symp., 2020, Art. no.
Index Terms
- Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel Bugs
Index terms have been assigned to the content through auto-classification.
Recommendations
Automatically detecting error handling bugs using error specifications
SEC'16: Proceedings of the 25th USENIX Conference on Security SymposiumIncorrect error handling in security-sensitive code often leads to severe security vulnerabilities. Implementing correct error handling is repetitive and tedious especially in languages like C that do not support any exception handling primitives. This ...
Automatically diagnosing and repairing error handling bugs in C
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software EngineeringCorrect error handling is essential for building reliable and secure systems. Unfortunately, low-level languages like C often do not support any error handling primitives and leave it up to the developers to create their own mechanisms for error ...
Comments
Information & Contributors
Information
Published In
1545-5971 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Computer Society Press
Washington, DC, United States
Publication History
Published: 17 February 2023
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 01 Sep 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in