Linux Security Summit 2021

It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Even worse, for the syzbot platform that continuously fuzzes Linux kernels, all bug reports and their reproducers are made public on a dashboard as soon as they are generated. This can become a goldmine for adversaries if they can infer the bugs' security impacts before defenders do. Therefore, we propose the following questions: 1.Are those seemingly low-risk bugs actually low-risk? 2.Do bug reports reveal the real impact of bugs? 3.Can we convert a seemingly low-risk bug to a high-risk bug automatically? We develop SyzScope, a system that can automatically uncover new "high-risk" impacts given a bug with only "low-risk" impacts. From analyzing over a thousand low-risk bugs on syzbot, SyzScope successfully determined that 133 low-risk bugs in fact contain high-risk impacts, e.g., control flow hijack and arbitrary memory write, many of which still do not have patches available yet.