ExpRace: Exploiting Kernel Races through Raising Interrupts

A kernel data race is notoriously challenging to detect, reproduce, and diagnose, mainly caused by nondeterministic thread interleaving. The kernel data race has a critical security implication since it often leads to memory corruption, which can be abused to launch privilege escalation attacks. Interestingly, due to the challenges above, the exploitation of the kernel data race is also challenging. Specifically, we find that some kernel races are nearly impossible to exploit due to their unique requirement on execution orders, which are almost impossible to happen without manual intervention. This paper develops a generic exploitation technique for kernel data races. To this end, we first analyze kernel data races, which finds an intrinsic condition classifying easy-to-exploit and hard-to-exploit races. Then we develop EXPRACE, a generic race exploitation technique for modern kernels, including Linux, Microsoft Windows, and MAC OS X. EXPRACE turns hard-to-exploit races into easy-toexploit races by manipulating an interrupt mechanism during the exploitation. According to our evaluation with 10 realworld hard-to-exploit races, EXPRACE was able to exploit all of those within 10 to 118 seconds, while an exploitation without EXPRACE failed for all given 24 hours.

[1]  Billy Bob Brumley,et al.  Amplifying side channels through performance degradation , 2016, ACSAC.

[2]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  Junfeng Yang,et al.  Parrot: a practical runtime for deterministic, stable, and reliable threads , 2013, SOSP.

[4]  Nadav Amit,et al.  Optimizing the TLB Shootdown Algorithm with Page Access Tracking , 2017, USENIX Annual Technical Conference.

[5]  Sen Hu,et al.  Efficient system-enforced deterministic parallelism , 2010, OSDI.

[6]  Rodrigo Rodrigues,et al.  SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration , 2014, OSDI.

[7]  Wenguang Chen,et al.  DRDDR: a lightweight method to detect data races in Linux kernel , 2016, The Journal of Supercomputing.

[8]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[9]  Emery D. Berger,et al.  Dthreads: efficient deterministic multithreading , 2011, SOSP.

[10]  Charlie Miller,et al.  Engineering Heap Overflow Exploits with JavaScript , 2008, WOOT.

[11]  Junfeng Yang,et al.  Efficient deterministic multithreading through schedule relaxation , 2011, SOSP.

[12]  Zvonimir Rakamaric,et al.  Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[13]  Chao Zhang,et al.  Revery: From Proof-of-Concept to Exploitable , 2018, CCS.

[14]  Pengfei Wang,et al.  How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel , 2017, USENIX Security Symposium.

[15]  Varmo Vene,et al.  Static race detection for device drivers: The Goblint approach , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Emery D. Berger,et al.  Grace: safe multithreaded programming for C/C++ , 2009, OOPSLA '09.

[17]  Xiaochen Zou,et al.  KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities , 2020, USENIX Security Symposium.

[18]  Jian Liu,et al.  A deployable sampling strategy for data race detection , 2016, SIGSOFT FSE.

[19]  Marcus Peinado,et al.  High-Resolution Side Channels for Untrusted Operating Systems , 2017, USENIX Annual Technical Conference.

[20]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[21]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[22]  Tong Zhang,et al.  TxRace: Efficient Data Race Detection Using Commodity Hardware Transactional Memory , 2016, ASPLOS.

[23]  Marco Ramilli,et al.  Return-Oriented Programming , 2012, IEEE Security & Privacy.

[24]  Chenxiong Qian,et al.  Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[25]  Hao Xu,et al.  Exploitations of Uninitialized Uses on macOS Sierra , 2017, WOOT.

[26]  Pengfei Wang,et al.  DFTinker: Detecting and Fixing Double-Fetch Bugs in an Automated Way , 2018, WASA.

[27]  Sebastian Burckhardt,et al.  Effective Data-Race Detection for the Kernel , 2010, OSDI.

[28]  Ben Niu,et al.  Lazy Diagnosis of In-Production Concurrency Bugs , 2017, SOSP.

[29]  Michael D. Bond,et al.  PACER: proportional detection of data races , 2010, PLDI '10.

[30]  Shi-Min Hu,et al.  Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers , 2019, USENIX Annual Technical Conference.

[31]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[32]  David Gay,et al.  SharC: checking data sharing strategies for multithreaded c , 2008, PLDI '08.

[33]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[34]  Rohan Padhye,et al.  Efficient scalable thread-safety-violation detection: finding thousands of concurrency bugs during testing , 2019, SOSP.

[35]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[36]  Satish Narayanasamy,et al.  LiteRace: effective sampling for lightweight data-race detection , 2009, PLDI '09.

[37]  Louis G. Gerbarg Advanced Synchronization in Mac OS X: Extending UNIX to SMP and Real-Time , 2002, BSDCon.

[38]  Wei Wu,et al.  FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities , 2018, USENIX Security Symposium.

[39]  Tong Zhang,et al.  ProRace: Practical Data Race Detection for Production Use , 2017, ASPLOS.

[40]  Sorin Lerner,et al.  RELAY: static race detection on millions of lines of code , 2007, ESEC-FSE '07.

[41]  Wei Zhang,et al.  Automated Concurrency-Bug Fixing , 2012, OSDI.

[42]  Satish Narayanasamy,et al.  Detecting and surviving data races using complementary schedules , 2011, SOSP.

[43]  Frank Piessens,et al.  Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic , 2018, CCS.

[44]  Yuanyuan Zhou,et al.  Learning from mistakes: a comprehensive study on real world concurrency bug characteristics , 2008, ASPLOS.

[45]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[46]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[47]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[48]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[49]  Thomas Schuster,et al.  Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features , 2017, AsiaCCS.

[50]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.