Event
Ph.D. Dissertation Defense: Erin Avllazaga
Friday, August 9, 2024
11:00 a.m.-1:00 p.m.
Room IRB-5165 (Brendan Iribe Building)
Maria Hoo
301 405 3681
mch@umd.edu
ANNOUNCEMENT: Ph.D. Dissertation Defense
Name: Erin Avllazaga
Committee:
Tudor Dumitras (Chair)
Yonghwi Kwon (Co-chair)
Nirupam Roy
Dana Dachman-Soled
David Van Horn (Dean's representative)
Date/time: Friday, August 9, 2024 at 11AM - 1PM
Location: Room IRB-5165, (Brendan Iribe Building)
Title: Towards understanding and preventing attackers in the end hosts
Abstract:
Many steps in Linux kernel exploitation remain largely an art. When exploit authors obtain a capability to overwrite certain kernel memory locations, they resort to corrupting targets documented in prior write-ups. Over time, through manual labor, a corpus of exploitation techniques has been devised allowing attackers to go from a limited memory corruption up to kernel-context arbitrary code execution. Many of these techniques are only known because prior exploit authors revealed them. Worse, some of them may not work in different kernel versions.
However, several other high-value corruption targets exist that haven't been found manually or a write-up of using them in an exploitation technique hasn't been disclosed yet. In this thesis, I explore the sensitive memory corruption targets in the Linux kernel. Specifically, I propose a methodology to systematically discover sensitive fields in the Linux kernel that, when corrupted, lead the system into an exploitable state. This system, called SCAVY, is based on a novel definition of the exploitable state that allows the attacker to read and write into files and memory locations that they would normally not be able to. SCAVY explores the exploitable states based on the threat model of a local unprivileged attacker with the ability to issue system calls and with the capability to read/write into a limited location in the kernel memory. The framework revealed that there are 17 sensitive fields across 12 Linux kernel C structs that, when overwritten with the correct value, lead the system into an exploitable state.
Our findings show that new memory corruption targets can change the security implications of vulnerabilities, urging researchers to proactively discover memory corruption targets. SCAVY presents a novel methodology to tracking kernel objects at runtime without the false-positives of static analysis. It uses a combination of static and dynamic analysis, through existing kernel debugging tools, to track the kernel objects and their relationships. This allows SCAVY to discover the data type of 88.4% of all allocated C structs in the slab allocator.
