Kepler: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities

Wei Wu, Yueqi Chen, Xinyu Xing, Wei Zou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Automatic exploit generation is a challenging problem. A challenging part of the task is to connect an identified exploitable state (exploit primitive) to triggering execution of code-reuse (e.g., ROP) payload. A control-flow hijacking primitive is one of the most common capabilities for exploitation. However, due to the challenges of widely deployed exploit mitigations, pitfalls along an exploit path, and ill-suited primitives, it is difficult to even manually craft an exploit with a control-flow hijacking primitive for an off-the-shelf modern Linux kernel. We propose KEPLER to facilitate exploit generation by automatically generating a “single-shot” exploitation chain. KEPLER accepts as input a control-flow hijacking primitive and bootstraps any kernel ROP payload by symbolically stitching an exploitation chain taking advantage of prevalent kernel coding style and corresponding gadgets. Comparisons with previous automatic exploit generation techniques and previous kernel exploit techniques show KEPLER effectively facilitates evaluation of control-flow hijacking primitives in the Linux kernel.

Original languageEnglish (US)
Title of host publicationProceedings of the 28th USENIX Security Symposium
PublisherUSENIX Association
Pages1187-1204
Number of pages18
ISBN (Electronic)9781939133069
StatePublished - Jan 1 2019
Event28th USENIX Security Symposium - Santa Clara, United States
Duration: Aug 14 2019Aug 16 2019

Publication series

NameProceedings of the 28th USENIX Security Symposium

Conference

Conference28th USENIX Security Symposium
CountryUnited States
CitySanta Clara
Period8/14/198/16/19

Fingerprint

Flow control
Linux

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Wu, W., Chen, Y., Xing, X., & Zou, W. (2019). Kepler: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In Proceedings of the 28th USENIX Security Symposium (pp. 1187-1204). (Proceedings of the 28th USENIX Security Symposium). USENIX Association.
Wu, Wei ; Chen, Yueqi ; Xing, Xinyu ; Zou, Wei. / Kepler : Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. pp. 1187-1204 (Proceedings of the 28th USENIX Security Symposium).
@inproceedings{ab1b779463ea4c6398680525538ab83f,
title = "Kepler: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities",
abstract = "Automatic exploit generation is a challenging problem. A challenging part of the task is to connect an identified exploitable state (exploit primitive) to triggering execution of code-reuse (e.g., ROP) payload. A control-flow hijacking primitive is one of the most common capabilities for exploitation. However, due to the challenges of widely deployed exploit mitigations, pitfalls along an exploit path, and ill-suited primitives, it is difficult to even manually craft an exploit with a control-flow hijacking primitive for an off-the-shelf modern Linux kernel. We propose KEPLER to facilitate exploit generation by automatically generating a “single-shot” exploitation chain. KEPLER accepts as input a control-flow hijacking primitive and bootstraps any kernel ROP payload by symbolically stitching an exploitation chain taking advantage of prevalent kernel coding style and corresponding gadgets. Comparisons with previous automatic exploit generation techniques and previous kernel exploit techniques show KEPLER effectively facilitates evaluation of control-flow hijacking primitives in the Linux kernel.",
author = "Wei Wu and Yueqi Chen and Xinyu Xing and Wei Zou",
year = "2019",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 28th USENIX Security Symposium",
publisher = "USENIX Association",
pages = "1187--1204",
booktitle = "Proceedings of the 28th USENIX Security Symposium",

}

Wu, W, Chen, Y, Xing, X & Zou, W 2019, Kepler: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. in Proceedings of the 28th USENIX Security Symposium. Proceedings of the 28th USENIX Security Symposium, USENIX Association, pp. 1187-1204, 28th USENIX Security Symposium, Santa Clara, United States, 8/14/19.

Kepler : Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. / Wu, Wei; Chen, Yueqi; Xing, Xinyu; Zou, Wei.

Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. p. 1187-1204 (Proceedings of the 28th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Kepler

T2 - Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities

AU - Wu, Wei

AU - Chen, Yueqi

AU - Xing, Xinyu

AU - Zou, Wei

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Automatic exploit generation is a challenging problem. A challenging part of the task is to connect an identified exploitable state (exploit primitive) to triggering execution of code-reuse (e.g., ROP) payload. A control-flow hijacking primitive is one of the most common capabilities for exploitation. However, due to the challenges of widely deployed exploit mitigations, pitfalls along an exploit path, and ill-suited primitives, it is difficult to even manually craft an exploit with a control-flow hijacking primitive for an off-the-shelf modern Linux kernel. We propose KEPLER to facilitate exploit generation by automatically generating a “single-shot” exploitation chain. KEPLER accepts as input a control-flow hijacking primitive and bootstraps any kernel ROP payload by symbolically stitching an exploitation chain taking advantage of prevalent kernel coding style and corresponding gadgets. Comparisons with previous automatic exploit generation techniques and previous kernel exploit techniques show KEPLER effectively facilitates evaluation of control-flow hijacking primitives in the Linux kernel.

AB - Automatic exploit generation is a challenging problem. A challenging part of the task is to connect an identified exploitable state (exploit primitive) to triggering execution of code-reuse (e.g., ROP) payload. A control-flow hijacking primitive is one of the most common capabilities for exploitation. However, due to the challenges of widely deployed exploit mitigations, pitfalls along an exploit path, and ill-suited primitives, it is difficult to even manually craft an exploit with a control-flow hijacking primitive for an off-the-shelf modern Linux kernel. We propose KEPLER to facilitate exploit generation by automatically generating a “single-shot” exploitation chain. KEPLER accepts as input a control-flow hijacking primitive and bootstraps any kernel ROP payload by symbolically stitching an exploitation chain taking advantage of prevalent kernel coding style and corresponding gadgets. Comparisons with previous automatic exploit generation techniques and previous kernel exploit techniques show KEPLER effectively facilitates evaluation of control-flow hijacking primitives in the Linux kernel.

UR - http://www.scopus.com/inward/record.url?scp=85075913190&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85075913190&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85075913190

T3 - Proceedings of the 28th USENIX Security Symposium

SP - 1187

EP - 1204

BT - Proceedings of the 28th USENIX Security Symposium

PB - USENIX Association

ER -

Wu W, Chen Y, Xing X, Zou W. Kepler: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In Proceedings of the 28th USENIX Security Symposium. USENIX Association. 2019. p. 1187-1204. (Proceedings of the 28th USENIX Security Symposium).