Towards Exploitability Assessment for Linux Kernel Vulnerabilities
Exploitability assessment could facilitate the prioritization of vulnerability remediation. In the past, security researchers and analysts assess exploitability for vulnerabilities by generating exploits manually. These methods involve a tremendous amount of human effort and require significant expertise. In order to solve this problem, automated exploitation approaches are introduced. However, as I will demonstrate in this talk, the effectiveness of existing automated exploitation approaches is limited by many assumptions. For example, the existing approaches mostly assume the state space of the program is limited, no security protection or exploit mitigation is enabled, and the capability of a vulnerability is already known. In this talk, I will introduce three lines of research works to tackle the problem of exploitability assessment without any assumptions. More specifically, I will talk about how we utilize static and dynamic analysis approaches to (1) explore the capability of a vulnerability, (2) pinpoint useful objects to obtain control over necessary registers, and (3) identify general exploitation chains to bypass widely-deployed kernel mitigation. Along with the introduction of these techniques, I will also demonstrate their practical impacts by using real-world vulnerabilities.