Sitemap

A list of all the posts and pages found on the site. For you robots out there is an XML version available for digesting as well.

Pages

Posts

portfolio

publications

talks

Stop! Sandboxing Exploitable Functions and Modules Using In-Kernel Machine Learning

Published:

In this presentation, we will describe and demo a new technique for detecting and stopping the 0-day exploitation in the Linux kernel. This technique enables the dynamic sandboxing of exploitable functions and modules and thus can be deployed in scenarios where critical service interruption and system reboots are unacceptable. Moreover, it incurs minimal performance overhead and memory footprint. Technically, this on-the-fly sandboxing is achieved through two key innovations: (1) an eBPF-based runtime checking mechanism that ensures code integrity, data integrity, and argument authentication of the rest of the kernel, and (2) embedding machine learning models into the kernel that detects malicious exploitation behaviors originating from the sandboxed functions and modules. In this presentation, we will demo this technique using CVE-2022-0995 as a case study and will share detailed results from our measurements. In a bigger picture, this new technique is envisioned to be applied when (1) loading device drivers from untrusted vendors, (2) detecting in-the-wild exploits of 0-day and n-day vulnerabilities, and (3) preventatively sandboxing kernel code that is of low-quality and has been frequently reported vulnerable over a certain period.

Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface

Published:

Instant messaging application (such as iMessage and WhatsApp) is an important remote attack surface for smartphones, often used by spyware as the first step in APT attacks, and has received great attention in the past. Carrier Based video calling, as a native video calling feature of mobile phones, is also a major remote attack surface for smartphones. We have discovered fatal 0-day vulnerabilities in some native Carrier Based video calling of mobile phones, which have been present for at least 7 years. As long as the target accepts our video call invitation, we can exploit these vulnerabilities to remotely obtain code execution permissions for the target phone’s system. In this session, we will introduce this remote attack surface we have discovered and provide a few examples to illustrate the potential issues and impacts that may arise within this attack surface.

Compartmentalizing Vulnerable Kernel Components Without Stopping the Machine

Published:

Device drivers are relatively low-quality yet take 70% of the kernel codebase. Thus, attackers can exploit vulnerabilities in them. While compartmentalizing vulnerable drivers can enhance security, existing methods are limited, preventing them from being widely deployed: rebooting the system is necessary which inevitably interrupts services. Syzkaller’s data indicates that avg. 7.62 unique kernel panics are reported per day. It means the machine would need multiple reboots in one day to enforce compartmentalization, which is unacceptable. In this talk, we will explore the potential of on-the-fly enforcement, the main challenge of which lies in handling transition hazards - pre-existing objects are untracked and can be misused. We will demo this attack by exploiting CVE-2022-0995, followed by O2C which aims to mitigate transition hazards. O2C has two key technical innovations: 1. software-based compartmentalization using eBPF. 2. embedding an ML model into the kernel, which lacks floating point support. O2C shows negligible overhead and excellent scalability. Detailed measurement results will be presented in the talk and the code is available at https://github.com/a8stract-lab/o2c.

teaching