FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities

Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Xiaorui Gong, Wei Zou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Citations (Scopus)

Abstract

Software vendors usually prioritize their bug remediation based on ease of their exploitation. However, accurately determining exploitability typically takes tremendous hours and requires significant manual efforts. To address this issue, automated exploit generation techniques can be adopted. In practice, they however exhibit an insufficient ability to evaluate exploitability particularly for the kernel Use-After-Free (UAF) vulnerabilities. This is mainly because of the complexity of UAF exploitation as well as the scalability of an OS kernel. In this paper, we therefore propose FUZE, a new framework to facilitate the process of kernel UAF exploitation. The design principle behind this technique is that we expect the ease of crafting an exploit could augment a security analyst with the ability to evaluate the exploitability of a kernel UAF vulnerability. Technically, FUZE utilizes kernel fuzzing along with symbolic execution to identify, analyze and evaluate the system calls valuable and useful for kernel UAF exploitation. In addition, it leverages dynamic tracing and an off-the-shelf constraint solver to guide the manipulation of vulnerable object. To demonstrate the utility of FUZE, we implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability but also diversify working exploits. In addition, we show that FUZE could facilitate security mitigation bypassing, making exploitability evaluation less challenging and more efficient.

Original languageEnglish (US)
Title of host publicationProceedings of the 27th USENIX Security Symposium
PublisherUSENIX Association
Pages781-797
Number of pages17
ISBN (Electronic)9781939133045
StatePublished - Jan 1 2018
Event27th USENIX Security Symposium - Baltimore, United States
Duration: Aug 15 2018Aug 17 2018

Publication series

NameProceedings of the 27th USENIX Security Symposium

Conference

Conference27th USENIX Security Symposium
CountryUnited States
CityBaltimore
Period8/15/188/17/18

Fingerprint

Remediation
Scalability
Linux

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Wu, W., Chen, Y., Xu, J., Xing, X., Gong, X., & Zou, W. (2018). FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (pp. 781-797). (Proceedings of the 27th USENIX Security Symposium). USENIX Association.
Wu, Wei ; Chen, Yueqi ; Xu, Jun ; Xing, Xinyu ; Gong, Xiaorui ; Zou, Wei. / FUZE : Towards facilitating exploit generation for kernel use-after-free vulnerabilities. Proceedings of the 27th USENIX Security Symposium. USENIX Association, 2018. pp. 781-797 (Proceedings of the 27th USENIX Security Symposium).
@inproceedings{6666df9534d045438786b0136ec089fb,
title = "FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities",
abstract = "Software vendors usually prioritize their bug remediation based on ease of their exploitation. However, accurately determining exploitability typically takes tremendous hours and requires significant manual efforts. To address this issue, automated exploit generation techniques can be adopted. In practice, they however exhibit an insufficient ability to evaluate exploitability particularly for the kernel Use-After-Free (UAF) vulnerabilities. This is mainly because of the complexity of UAF exploitation as well as the scalability of an OS kernel. In this paper, we therefore propose FUZE, a new framework to facilitate the process of kernel UAF exploitation. The design principle behind this technique is that we expect the ease of crafting an exploit could augment a security analyst with the ability to evaluate the exploitability of a kernel UAF vulnerability. Technically, FUZE utilizes kernel fuzzing along with symbolic execution to identify, analyze and evaluate the system calls valuable and useful for kernel UAF exploitation. In addition, it leverages dynamic tracing and an off-the-shelf constraint solver to guide the manipulation of vulnerable object. To demonstrate the utility of FUZE, we implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability but also diversify working exploits. In addition, we show that FUZE could facilitate security mitigation bypassing, making exploitability evaluation less challenging and more efficient.",
author = "Wei Wu and Yueqi Chen and Jun Xu and Xinyu Xing and Xiaorui Gong and Wei Zou",
year = "2018",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 27th USENIX Security Symposium",
publisher = "USENIX Association",
pages = "781--797",
booktitle = "Proceedings of the 27th USENIX Security Symposium",

}

Wu, W, Chen, Y, Xu, J, Xing, X, Gong, X & Zou, W 2018, FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities. in Proceedings of the 27th USENIX Security Symposium. Proceedings of the 27th USENIX Security Symposium, USENIX Association, pp. 781-797, 27th USENIX Security Symposium, Baltimore, United States, 8/15/18.

FUZE : Towards facilitating exploit generation for kernel use-after-free vulnerabilities. / Wu, Wei; Chen, Yueqi; Xu, Jun; Xing, Xinyu; Gong, Xiaorui; Zou, Wei.

Proceedings of the 27th USENIX Security Symposium. USENIX Association, 2018. p. 781-797 (Proceedings of the 27th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - FUZE

T2 - Towards facilitating exploit generation for kernel use-after-free vulnerabilities

AU - Wu, Wei

AU - Chen, Yueqi

AU - Xu, Jun

AU - Xing, Xinyu

AU - Gong, Xiaorui

AU - Zou, Wei

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Software vendors usually prioritize their bug remediation based on ease of their exploitation. However, accurately determining exploitability typically takes tremendous hours and requires significant manual efforts. To address this issue, automated exploit generation techniques can be adopted. In practice, they however exhibit an insufficient ability to evaluate exploitability particularly for the kernel Use-After-Free (UAF) vulnerabilities. This is mainly because of the complexity of UAF exploitation as well as the scalability of an OS kernel. In this paper, we therefore propose FUZE, a new framework to facilitate the process of kernel UAF exploitation. The design principle behind this technique is that we expect the ease of crafting an exploit could augment a security analyst with the ability to evaluate the exploitability of a kernel UAF vulnerability. Technically, FUZE utilizes kernel fuzzing along with symbolic execution to identify, analyze and evaluate the system calls valuable and useful for kernel UAF exploitation. In addition, it leverages dynamic tracing and an off-the-shelf constraint solver to guide the manipulation of vulnerable object. To demonstrate the utility of FUZE, we implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability but also diversify working exploits. In addition, we show that FUZE could facilitate security mitigation bypassing, making exploitability evaluation less challenging and more efficient.

AB - Software vendors usually prioritize their bug remediation based on ease of their exploitation. However, accurately determining exploitability typically takes tremendous hours and requires significant manual efforts. To address this issue, automated exploit generation techniques can be adopted. In practice, they however exhibit an insufficient ability to evaluate exploitability particularly for the kernel Use-After-Free (UAF) vulnerabilities. This is mainly because of the complexity of UAF exploitation as well as the scalability of an OS kernel. In this paper, we therefore propose FUZE, a new framework to facilitate the process of kernel UAF exploitation. The design principle behind this technique is that we expect the ease of crafting an exploit could augment a security analyst with the ability to evaluate the exploitability of a kernel UAF vulnerability. Technically, FUZE utilizes kernel fuzzing along with symbolic execution to identify, analyze and evaluate the system calls valuable and useful for kernel UAF exploitation. In addition, it leverages dynamic tracing and an off-the-shelf constraint solver to guide the manipulation of vulnerable object. To demonstrate the utility of FUZE, we implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability but also diversify working exploits. In addition, we show that FUZE could facilitate security mitigation bypassing, making exploitability evaluation less challenging and more efficient.

UR - http://www.scopus.com/inward/record.url?scp=85056905966&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056905966&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85056905966

T3 - Proceedings of the 27th USENIX Security Symposium

SP - 781

EP - 797

BT - Proceedings of the 27th USENIX Security Symposium

PB - USENIX Association

ER -

Wu W, Chen Y, Xu J, Xing X, Gong X, Zou W. FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities. In Proceedings of the 27th USENIX Security Symposium. USENIX Association. 2018. p. 781-797. (Proceedings of the 27th USENIX Security Symposium).