Linux Security Summit 2021

The monolithic nature of modern OS kernels leads to a constant stream of bugs being discovered. It is often unclear which of these bugs are worth fixing, as only a subset of them may be serious enough to lead to security takeovers (i.e., privilege escalations). Therefore, researchers have recently started to develop automated exploit generation techniques (for UAF bugs) to assist the bug triage process. In this paper, we investigate another top memory vulnerability in Linux kernel—out-of-bounds (OOB) memory write from heap. We design KOOBE to assist the analysis of such vulnerabilities based on two observations: (1) Surprisingly often, different OOB vulnerability instances exhibit a wide range of capabilities. (2) Kernel exploits are multi-interaction in nature which allows the exploit crafting process to be modular. Specifically, we focus on the extraction of capabilities of an OOB vulnerability and the subsequent exploitability evaluation process. In our evaluation, we analyze 17 most recent Linux kernel OOB vulnerabilities, for which KOOBE successfully generated candidate exploit strategies for 11 of them. Further, we are able to construct fully working exploits for all of them.