## blackhať JSA 2020



# **Exploiting Kernel Races** Through Taming Thread Interleaving

Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech





## **Summary**



Background on races •



- Classification on races ٠
- **Unexploitable races** •



New technique turning exploitable races



# unexploitable races to



### **Race condition is an increasing attack vector**



# of fixed bugs that Syzkaller found in **2017** 



# of fixed bugs that Syzkaller found in 2018

- Razzer, IEEE S&P 2019, found more than **30 race bugs**.
- KCSAN, developed by Google 2019, found more than **300 race bugs**.  $\bullet$

#### # of fixed bugs that Syzkaller found in 2019



#### **Background : Race condition**



**Accessing the same memory** location from two processors

**→** Execution results are different depending on the access order.





### **Background : Race Condition Vulnerability**

#### **Race Condition Vulnerability**

#### = Race Condition + Memory Corruption



5





### **Background : to trigger Race Condition Vulnerability**



#### , then memory corruption occurs.

Brute forcing : Try until success

6





#### **Background : Exploitability of Race Condition Vulnerability**



#### Availability of Memory Corruption



### **Classification of Race Condition Vulnerability**









### **Single-variable Race Condition**







### **Exploitability of Single-variable Race**



Brute-forcing would somehow trigger the race  $\bullet$ 

 $\rightarrow$  if B can be executed within the time window

The smaller the time window is, the lower the probability of successful races.  $\bullet$ 





#### **Multi-variable Race Condition**







#### **Multi-variable Race Condition**







#### **Exploitability of Inclusive Multi-variable Race**



- Brute-force somehow works.
- The more similar the two time windows are, the lower the probability that a race will occur.





## **Problem : Exploitability of Non-inclusive Race**



- Brute-force never works.
- impossible to execute with the order of  $\triangle > \bigcirc \ \& \bigcirc > \bigcirc$ .





## **Problem : Exploitability of Non-inclusive Race**

|                                                             |                  | Tx    | Ту     | Core 1                                             |
|-------------------------------------------------------------|------------------|-------|--------|----------------------------------------------------|
| ١                                                           | - CVE-2017-15265 | 35    | 450    |                                                    |
|                                                             | CVE-2019-1999    | 150   | 1,800  | Тх                                                 |
|                                                             | CVE-2019-2025    | 50    | 600    |                                                    |
|                                                             | CVE-2019-6974    | 18    | 1,210  |                                                    |
| Non-inclusive race vulnerabilities<br>found in linux kernel | #1035566         | 1,153 | 13,121 |                                                    |
|                                                             | #987393          | 18    | 2,250  | Even if,                                           |
|                                                             | #759959          | 120   | 730    | A >> B is succeed,<br>C >> D will be <b>failed</b> |
|                                                             |                  |       |        |                                                    |
|                                                             |                  |       |        |                                                    |
|                                                             |                  |       |        |                                                    |

- Brute-force never works.
- impossible to execute with the order of (A) >> (B) && (C) >> (D).







### **Previous method : Using Different Core Latency**



e.g., Qualcomm Snapdragon 845 4x 2.5GHz, 4x 1.6GHz •







### **Previous method : Using Different Core Latency**

Execution Order : A >> B & C >> D



e.g., Qualcomm Snapdragon 845 4x 2.5GHz, 4x 1.6GHz •







### **Limitations of Use Different Core Latency**



**CPU** dependency

- Must use the CPU that latency between the cores are different. •
- Not applicable to vulnerabilities with large time window differences •





Execution Order : A >> B & C >> D





| ••• | ••• | ••• | •••• | ••• | •••• | ••• | •••• | •••• |  |
|-----|-----|-----|------|-----|------|-----|------|------|--|
|     |     |     |      | ••• |      |     |      |      |  |



Execution Order : A



| - | ••• | <br>•• | ••• | ••• | ••• |      | ••• | ••• | ••• | ••• |  |
|---|-----|--------|-----|-----|-----|------|-----|-----|-----|-----|--|
|   |     |        |     |     |     | <br> |     |     |     |     |  |









| <br> |      |  |
|------|------|--|
|      | <br> |  |



Execution Order : A >> B & C >> D





| <br> |      |  |
|------|------|--|
|      | <br> |  |



#### **Limitation of Using scheduler**



**Configuration dependency** 

- Can be used when COFIG\_PREEMPT option is applied. ٠
- Linux uses **CONFIG\_PREEMPT\_VOLUTARY** option by default. •





### **Each of methods has obvious limitations**





**Configuration dependency** 

- All previous methods are hard to be used in general.
- We need **a new method** that extends the time window.





#### How to extend the time window?









The key idea of ExpRace is to keep raising interrupts to indirectly alter kernel thread's • interleaving.







### **ExpRace : How to send IPI & IRQ with user priv**







#### **ExpRace : TLB Shootdown**



- Modern OSs implement a TLB shootdown mechanism to ensure that TLB entries are synchronized across different cores.
- Syscalls that either modify the permission of the page (e.g., mprotect()) or unmap (e.g., munmap()) the page use IPI for TLB shootdown.





## **ExpRace : IPI Environment setting**







### **ExpRace : Hardware Interrupt Environment Setting**

#### 1. Check irq's core affinity.

(In our environment, ethernet device (IRQ 122) have affinity to core 11)



2. Pin the thread to **corresponding core** using sched\_setaffinity().



Process C

(Core 0)

1. connect()





### **ExpRace : How many cycles are extended?**







#### **ExpRace : Advanced Technique**



- IPI and IRQ can be used simultaneously.
- The time window is extended up to 200,000 cycles





### **Case Study : CVE-2017-15265**





#### Problems to exploit

1. Non-inclusive Multi-variable Race



#### **ExpRace can solve two problems at once**



, then Use-After-Free Write occurs.





### **Brief introduction about memory corruption exploit**

- Spray struct file pointer using SCM RIGHT
- Partially overwrite the pointer in reallocated structure for kernel address leak.
- Use iovec structure for arbitrary memory write and read.

1<sup>st</sup> Use-After-Free Write Use-After-Free Write

Leak : struct file pointer 2<sup>nd</sup> Use-After-Free Write 3<sup>rd</sup> AAW : f cred -> uid = 0

AAR : file->f cred pointer

We totally trigger the vulnerability 3 times





#### DEMO





### Conclusion

- Introduced **unexploitable** race types.
- ExpRace can turn **unexploitable** races into **exploitable** races.

