ERACE: Toward Facilitating Exploit Generation for Kernel Race Vulnerabilities

Abstract

Since a large number of Linux kernel vulnerabilities are discovered every year, many vulnerabilities cannot be patched in time. Security vendors often prioritize patching high-risk vulnerabilities, and the ratings of vulnerabilities need to be evaluated based on factors such as exploitability and the scope of influence. However, evaluating exploitability is challenging and time-consuming, especially for race vulnerabilities, whose exploitation process is complicated and the success rate of exploitation is low, making them more likely to be overlooked. In this paper, we propose a new framework, called ERACE, to facilitate the process of exploiting kernel race vulnerabilities. Given a program called a proof of concept (PoC) that can trigger a race vulnerability, ERACE first applies a combination of dynamic and static analysis techniques to locate the instruction that causes the race. Then, it applies code instrumentation and static analysis to determine the timing relationship between the race instructions and the triggering type of the vulnerability and records the vulnerability context information. Next, it uses backward taint analysis to identify checkpoints that can be used to determine whether the race condition and heap spraying are satisfied and records the system calls to which the checkpoints belong. Finally, we can generate exploits based on the information collected above. To demonstrate the utility of ERACE, we tested it on 23 real-world vulnerabilities. As a result, we successfully detected the race points of 19 vulnerabilities, the timing relationship among the race instructions, and the triggering types of 17 vulnerabilities and succeeded in generating exploits for 13 vulnerabilities. ERACE can effectively help security researchers simplify the analysis process of kernel race vulnerabilities, select appropriate exploitation methods, and use checkpoints to increase the success rates of exploitations.