## blackhat JSA 2020

AUGUST 5-6, 2020 Briefings

# Exploting Kernel Races Through Taming Thread Interleaving

Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech





### **Race condition is an increasing attack vector**



# of fixed bugs that Syzkaller found in 2017



# of fixed bugs that Syzkaller found in 2018

- Race Condition is gaining strong attention from the security community.
- Razzer, IEEE S&P 2019, found more than **30 race bugs**.
- KCSAN, developed by Google 2019, found more than **300 race bugs**.



### # of fixed bugs that Syzkaller found in 2019



### **Background : Race condition**



• Accessing the same memory location from two processor

→ the results are different according to access order.





## **Background : Two Conditions for Triggering Race**







### **Race condition** occurs



### **Background : Race Condition Vulnerability**







## **Background : to trigger Race Condition Vulnerability**



### , then memory corruption occurs.

Brute forcing : Try until success





### **Background : Exploitability of Race Condition Vulnerability**

### Is Race Condition A very specific Availability of Vulnerability Exploitable? Availability of



### **Classification of Race Condition Vulnerability**



- As mentioned earlier, race conditions consist of **multiple order-violations**.
- Order violations can occur only for **one variable** or **multiple variables**.



### **Multi Variable Race Condition**

### Order violation 1 for M1

### Order violation 2 for **M2**

. . .



### **Single-variable Race Condition**



Single-variable race condition consists of more than one race pairs related to **single** variable (Most of bugs consist of two order violation).





## **Exploitability of Single-variable Race**

No matter how low the probability, it is **not zero**.



The smaller the time window is, the lower the probability of race condition occurring. ullet





### **Multi-variable Race Condition**



Multi-Variable race condition consists of more than one race pairs, each race pair is related to a **different variable**.



### **Multi-variable Race Condition**











### **Exploitability of Inclusive Multi-variable Race**



• The more similar the two time windows are, the lower the probability that a race will occur.





## **Problem : Exploitability of Non-inclusive Race**



impossible to physically execute this type of race condition in the order of A >> B and C >> D.





Core 2





## **Previous Approach : Using Debugging Feature**







## **Previous Approach : Using Debugging Feature**

Execution Order : A >> B & C >> D









### **Limitation of Using Debugging Feature**



Using debugger Insert breakpoint





### **Previous method : Using Different Core Latency**

Execution Order : A >> B & C >> D









### **Limitations of Use Different Core Latency**



**CPU dependency** 

- **must use the CPU** that latency between the cores are different.
- Not applicable to vulnerabilities with large time window differences





### **Previous Approach : Using scheduler (CONFIG\_PREEMPT)**

Execution Order : A >> B & C >> D





| ••• | ••• | •••• | •••• | ••• | ••• | <br> | 1 |
|-----|-----|------|------|-----|-----|------|---|
| ••• | ••• | •••• | •••• |     | ••• | <br> |   |
|     |     |      |      |     |     |      |   |



### **Limitation of Using scheduler**



**Configuration dependency** 

- Can be used when COFIG\_PREEMPT option is applied. •
- Linux apply **CONFIG\_PREEMPT\_VOLUTARY** option as default. ullet





### **Each of methods has obvious limitations**



- All of the methods are hard to applied in general.
- We needs a new method that extend the race window and can be used in general. •





### How to extend the race window?









The key idea of EXPRACE is to keep raising interrupts to indirectly alter kernel • thread's interleaving.







### **ExpRace : How to send IPI & IRQ with user priv**







### **ExpRace : TLB Shootdown**



- Modern OS implement a TLB shootdown mechanism to ensure that TLB entries are synchronized across different cores.
- Syscalls that either modify the permission of the page (e.g., mprotect()) or unmap (e.g., munmap()) the page use IPI for TLB shootdown.





### **ExpRace : IPI Environment setting**







### **ExpRace : Hardware Interrupt Environment Setting**

### 1. Check irq's core affinity.

(In our environment, ethernet device (IRQ 122) have affinity to core 11)



2. Pin the thread to corresponding core using sched\_setaffinity().



**Process C** 

(Core 0)

1. connect()

device





### **ExpRace : Two conditions must be satisfied for succeed**







## **ExpRace : How many cycles are extended?**







### **ExpRace : Advanced Technique**



- IPI and IRQ can be used simultaneously.
- The time window is extended up to 200,000 cycles





### **ExpRace : Other OSs**





### ✓ TLB shootdown

✓ TLB shootdown

Hardware Interrupt (#Device Parameters Interrupt registry) X Hardware Interrupt





### **Case Study : CVE-2017-15265**



if A >> B && C >> D , then Use-After-Free Write occurs.



### Problems to exploit

### 1. Non-inclusive Multi-variable Race

2. No time to reallocate



### **ExpRace can solve two problems at once**



if A >> B && C >> D , then Use-After-Free Write occurs.





### **Brief introduction about memory corruption exploit**

- Spray struct file pointer using SCM\_RIGHT
- Partially overwrite the pointer in reallocated structure for kernel address leak.
- Use iovec structure for AAR, AAW.

1<sup>st</sup> Use-After-Free Write Use-After-Free Write

Leak : struct file pointer 2<sup>nd</sup> Use-After-Free Write AAR : file->f cred pointer 3<sup>rd</sup> AAW : f cred -> uid = 0

We totally trigger the vulnerability **3 times** 





### DEMO







D



**FEVENTS** 



### Conclusion

- Some type of race condition vulnerabilities are impossible to exploit.
- ExpRace can make unexploitable race to exploitable race.
- ExpRace is the only method that can be used in general.

