TY - JOUR
T1 - Towards Unveiling Exploitation Potential with Multiple Error Behaviors for Kernel Bugs
AU - Liu, Ziqin
AU - Lin, Zhenpeng
AU - Chen, Yueqi
AU - Wu, Yuhang
AU - Zou, Yalong
AU - Mu, Dongliang
AU - Xing, Xinyu
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - Nowadays, fuzz testing has significantly expedited the vulnerability discovery of Linux kernel. Security analysts use the manifested error behaviors to infer the exploitability of one bug and thus prioritize the patch development. However, only using an error behavior in the report, security analysts might underestimate the exploitability of the kernel bug because it could manifest various error behaviors indicating different exploitation potentials. In this work, we conduct an empirical study on multiple error behaviors of kernel bugs to understand 1) the prevalence of multiple error behaviors and the possible impact of multiple error behaviors towards the exploitation potential; 2) the factors that manifest multiple error behaviors with different exploitation potential. We collected all the fixed kernel bugs reported on Syzbot from September 2017 to January 2022, including 3,352 bug reports. We observed that multiple error behaviors manifested by kernel bugs are prevalent in the real world, and more error behaviors help unveil the exploitability of kernel bugs. Then we organized Linux kernel experts to analyze a sample of kernel bug dataset (484 bug reports, unique 162 bugs) and identified 6 key contributing factors to the mutiple error behaviors. Finally, based on the empirical findings, we propose an object-driven fuzzing technique to explore all possible error behaviors that a kernel bug might bring about. To evaluate the utility of our proposed technique, we implement our fuzzing tool GREBE and apply it to 60 real-world Linux kernel bugs. On average, GREBE could manifest 2+ additional error behaviors for each of the kernel bugs. For 26 kernel bugs, GREBE discovers higher exploitation potential. We report to kernel vendors some of the bugs-the exploitability of which was wrongly assessed and the corresponding patch has not yet been carefully applied-resulting in their rapid patch adoption.
AB - Nowadays, fuzz testing has significantly expedited the vulnerability discovery of Linux kernel. Security analysts use the manifested error behaviors to infer the exploitability of one bug and thus prioritize the patch development. However, only using an error behavior in the report, security analysts might underestimate the exploitability of the kernel bug because it could manifest various error behaviors indicating different exploitation potentials. In this work, we conduct an empirical study on multiple error behaviors of kernel bugs to understand 1) the prevalence of multiple error behaviors and the possible impact of multiple error behaviors towards the exploitation potential; 2) the factors that manifest multiple error behaviors with different exploitation potential. We collected all the fixed kernel bugs reported on Syzbot from September 2017 to January 2022, including 3,352 bug reports. We observed that multiple error behaviors manifested by kernel bugs are prevalent in the real world, and more error behaviors help unveil the exploitability of kernel bugs. Then we organized Linux kernel experts to analyze a sample of kernel bug dataset (484 bug reports, unique 162 bugs) and identified 6 key contributing factors to the mutiple error behaviors. Finally, based on the empirical findings, we propose an object-driven fuzzing technique to explore all possible error behaviors that a kernel bug might bring about. To evaluate the utility of our proposed technique, we implement our fuzzing tool GREBE and apply it to 60 real-world Linux kernel bugs. On average, GREBE could manifest 2+ additional error behaviors for each of the kernel bugs. For 26 kernel bugs, GREBE discovers higher exploitation potential. We report to kernel vendors some of the bugs-the exploitability of which was wrongly assessed and the corresponding patch has not yet been carefully applied-resulting in their rapid patch adoption.
UR - http://www.scopus.com/inward/record.url?scp=85149396512&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85149396512&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2023.3246170
DO - 10.1109/TDSC.2023.3246170
M3 - Article
AN - SCOPUS:85149396512
SN - 1545-5971
VL - 21
SP - 93
EP - 109
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 1
M1 - 3246170
ER -