Increasing Exploitability via Elastic Kernel Objects

Open Access
- Author:
- Lin, Zhenpeng
- Graduate Program:
- Informatics
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- October 27, 2021
- Committee Members:
- Xinyu Xing, Committee Member
Linhai Song, Thesis Advisor/Co-Advisor
Mary Beth Rosson, Program Head/Chair
Ting Wang, Committee Member - Keywords:
- kernel
exploitation
static analysis - Abstract:
- Recent research endeavors have explored various methods to perform kernel exploitation and bypass kernel protection and exploitation mitigation. However, these efforts primarily focus on anecdotal methods or side-channel approaches. There have not yet been many systematic, hardware-agnostic, and general exploitation methods for exploitation mitigation circumvention. In this work, we analyze a recently released anecdotal exploit which utilizes an elastic kernel object to bypass KASLR. We hypothesize that this approach could become a general exploitation practice, through which many vulnerabilities could bypass widely deployed kernel mitigations (e.g., KASLR and heap cookie protector). To validate our hypothesis, we design a systematic method and implement it as a semi-automated tool – EOE . By using EOE on two popular OSes (Linux and macOS), we could identify many elastic kernel objects, through which many vulnerabilities identified in their kernel code could demonstrate the ability to bypass exploitation mitigations (e.g., KASLR and heap cookie protector). For some vulnerabilities, we also show that EOE could even track down elastic kernel objects to facilitate arbitrary-read kernel exploitation. By analyzing existing kernel defense mechanisms, we argue that the newly induced exploitation method is challenging to defend. Without taking rapid action, it could inevitably become a severe threat to kernel security.