xorl %eax, %eax

Linux kernel 0days without code auditing

leave a comment »

The recent post of grsecurity “The Life of a Bad Security Fix” was the inspiration for this blog post which is somehow common sense among the community, but it’s not explicitly mentioned a lot outside of that.

I remember the first time I discovered a 0day privilege escalation in the Linux kernel many years ago. My process back then was fairly trivial and partially driven by my fear of this monster codebase called the upstream kernel. Here is what I did back then.

  1. Find a relatively simple kernel module that comes with the upstream kernel
  2. Dissect and learn every bit and piece of it
  3. Go through each function that involved user data and look for mistakes
  4. Test my hypothesis
  5. If valid, keep it aside to start working on an exploit for it

Later on, I found that you can only focus on the interesting code paths. The ones involving specific functions, logic, or interaction with user-provided or user-derived data. But all of that involves some sort of code auditing, right? Can we do it without it?

I have many such examples in my blog here going all the way back to 2006. Just like in the grsecurity’s blog post you can just read the ChangeLog or kernel commits. Magic 0days are hidden in there. ;)

ChangeLogs and commits are great and only require you to validate whether this is a vulnerability or a bug. The hard part of the code auditing and debugging has already been done, and in some cases reporters even include PoC code to reproduce the issue which gives you a starting point for your exploit development.

Another approach is going through the discoveries of syzkaller kernel fuzzer. Again, you usually have the trigger code and a pretty complete debugging output. This means, you know there is something interesting going on there, you just have to trace it down, and find a way to exploit it.

Lastly, you can keep an eye on malware sandboxes for Linux samples for potential 0days used in the wild. It is extremely rare that those samples will include Linux kernel 0days but it is also a very low effort task from our side to have some automated monitoring for those like a couple of YARA rules on VirusTotal API.

I hate to say it, but it’s true, nowadays you can build a decent stash of 0days for the Linux kernel with way less, in some cases zero, manual code auditing. I still enjoy going through the Linux kernel but if this is your job, then you might as well take advantage of work that has already been done by others.

Written by xorl

January 28, 2020 at 11:39

Posted in linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s