Publications

2022

1. S&P

   GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs

   Lin, Zhenpeng, Chen, Yueqi, Wu, Yuhang, Yu, Chensheng, Mu, Dongliang, Xing, Xinyu, and Li, Kang

   In Proceedings of the 2022 IEEE Symposium on Security and Privacy 2022

   Bib PDF Code

   @inproceedings{grebe,
     author = {Lin, Zhenpeng and Chen, Yueqi and Wu, Yuhang and Yu, Chensheng and Mu, Dongliang and Xing, Xinyu and Li, Kang},
     booktitle = {Proceedings of the 2022 IEEE Symposium on Security and Privacy},
     title = {GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs},
     year = {2022},
   }

2. NDSS

   An In-depth Analysis of Duplicated Linux Kernel Bug Reports

   Mu, Dongliang, Wu, Yuhang, Chen, Yueqi, Lin, Zhenpeng, Yu, Chensheng, Xing, Xinyu, and Wang, Gang

   In Proceedings 2022 Network and Distributed System Security Symposium 2022

   Bib PDF

   @inproceedings{dongliangndss2022,
     title = {An In-depth Analysis of Duplicated Linux Kernel Bug Reports},
     author = {Mu, Dongliang and Wu, Yuhang and Chen, Yueqi and Lin, Zhenpeng and Yu, Chensheng and Xing, Xinyu and Wang, Gang},
     booktitle = {Proceedings 2022 Network and Distributed System Security Symposium},
     year = {2022},
   }

3. CCS

   DirtyCred: Escalating Privilege in Linux Kernel

   Lin, Zhenpeng, Wu, Yuhang, and Xing, Xinyu

   In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security 2022

   Abs PDF

   The kernel vulnerability DirtyPipe was reported to be present in nearly all versions of Linux since 5.8. Using this vulnerability, a bad actor could fulfill privilege escalation without triggering existing kernel protection and exploit mitigation, making this vulnerability particularly disconcerting. However, the success of DirtyPipe exploitation heavily relies on this vulnerability’s capability (i.e., injecting data into the arbitrary file through Linux’s pipes). Such an ability is rarely seen for other kernel vulnerabilities, making the defense relatively easy. As long as Linux users eliminate the vulnerability, the system could be relatively secure.This work proposes a new exploitation method – DirtyCred – pushing other Linux kernel vulnerabilities to the level of DirtyPipe. Technically speaking, given a Linux kernel vulnerability, our exploitation method swaps unprivileged and privileged kernel credentials and thus provides the vulnerability with the DirtyPipe-like exploitability. With this exploitability, a bad actor could obtain the ability to escalate privilege and even escape the container. We evaluated this exploitation approach on 24 real-world kernel vulnerabilities in a fully-protected Linux system. We discovered that DirtyCred could demonstrate exploitability on 16 vulnerabilities, implying DirtyCred’s security severity. Following the exploitability assessment, this work further proposes a new kernel defense mechanism. Unlike existing Linux kernel defenses, our new defense isolates kernel credential objects on non-overlapping memory regions based on their own privilege. Our experiment result shows that the new defense introduces primarily negligible overhead.