Hunting kernel exploits with filesystem fuzzer presented at CODEBLUE2020 2020

by Donghee Kim, Seungpyo Hong, Wonyoung Jung, Heoungjin Jo,

Summary : We found 16 unique vulnerabilities in three filesystems using a filesystem fuzzer called JANUS(which developed by ‘Georgia Tech Systems Software & Security Lab’(SSLab)). As a result of exploitation with file system vulnerabilities, it was able to succeed in the R/W primitive attack and Kernel control flow hijacking attack. (All vulnerabilities we found are reported, and some are still in the patch). In this presentation, we will dive deeper into all the technical content required for this process.Worldwide, the number of devices per person is increasing. The statistic we found shows that the number of devices per person is expected to be 6.58, a total of about 50 billion devices in 2020. These devices are controlled by the OS, and each OS supports various file systems. Therefore, a filesystem vulnerability can be a fatal vulnerability for multiple OSs that support this filesystem, which can threaten devices around the world. This led us to start researching how many threats to multiple OSs can be made using a single filesystem vulnerability.Filesystems have several limitations, which are quite large because they have at least 50,000 lines of code. If you want to look for vulnerabilities requires a deep understanding of the filesystem's codebase like you have to understand every single line of code. In this presentation, we will explain the structure and feature of the filesystem and discuss some of the limits of using this filesystem as an attack surface.We will explain how to get the crash on the filesystem. First, we will briefly introduce the Janus fuzzer we used and explain the process of porting Janus to the latest kernel version.As complex as the filesystem is, there is a big gap between finding a crash and using arbitrary code execution for that crash. Arbitrary code execution requires various kernel exploit techniques. We describe the Linux kernel exploit technique required for this part, and succeeded in R/W primitive attack exploiting the existing 1-day vulnerability and successful kernel control flow hijacking attack using the 0-day vulnerability we found. We will introduce the process.To manage all of this, we have created a new crash-proof triage program and a filesystem fuzzing monitor program that we will introduce together in this presentation.The filesystem is developed separately from the OS, and the main branch has a late update cycle. We have verified and verified that filesystems of various devices managed by the latest OS can be exposed to attacks by 1-day. We have experimented with various operating systems for this purpose and will present the results of this experiment in this presentation.