ACHyb: A Hybrid Analysis Approach to Detect Kernel Access Control Vulnerabilities
Fri 27 Aug 2021 07:10 - 07:20 - Dependability—Vulnerabilities 2 Chair(s): Ramy Shahin
Access control is essential for the Operating System (OS) security. Incorrect implementation of access control can introduce new attack surfaces to the OS, known as Kernel Access Control Vulnerabilities (KACVs). To understand KACVs, we conduct our study on the root causes and the security impacts of KACVs. Regarding the complexity of the recognized root causes, we particularly focus on two kinds of KACVs, namely KACV-M (due to missing permission checks) and KACV-I (due to misusing permission checks). We find that over 60% of these KACVs are of critical, high or medium security severity, resulting in a variety of security threats including bypass security checking, privileged escalation, etc. However, existing approaches can only detect KACV-M. The state-of-the-art KACV-M detector called PeX is a static analysis tool, which still suffers from extremely high false-positive rates.
In this paper, we present ACHyb, a precise and scalable approach to reveal both KACV-M and KACV-I. ACHyb is a hybrid approach, which first applies static analysis to identify the potentially vulnerable paths and then applies dynamic analysis to further reduce the false positives of the paths. For the static analysis, ACHyb improves PeX in both the precision and the soundness, using the interface analysis, callsite dependence analysis and constraint-based invariant analysis with a stronger access control invariant. For the dynamic analysis, ACHyb utilizes the greybox fuzzing to identify the potential KACVs. In order to improve the fuzzing efficiency, ACHyb adopts our novel clustering-based seed distillation approach to generate high-quality seed programs. Our experimental results show that ACHyb reveals 76 potential KACVs in less than 8 hours and 22 of them are KACVs (19 KACV-M and 3 KACV-I). In contrast, PeX reveals 2,088 potential KACVs in more than 11 hours, and only 14 of them are KACVs (all KACV-M). Furthermore, ACHyb successfully uncovers 7 new KACVs, and 2 of them (1 KACV-M and 1 KACV-I) have been confirmed by kernel developers.
Thu 26 AugDisplayed time zone: Athens change
19:00 - 20:00 | Dependability—Vulnerabilities 2Research Papers / Demonstrations +12h Chair(s): Domenico Bianculli University of Luxembourg | ||
19:00 10mPaper | Identifying Casualty Changes in Software Patches Research Papers Adriana Sejfia University of Southern California, Yixue Zhao University of Massachusetts at Amherst, Nenad Medvidović University of Southern California DOI Media Attached | ||
19:10 10mPaper | ACHyb: A Hybrid Analysis Approach to Detect Kernel Access Control Vulnerabilities Research Papers Yang Hu The University of Texas at Austin, Wenxi Wang University of Texas at Austin, Casen Hunger University of Texas at Austin, Riley Wood University of Texas at Austin, Sarfraz Khurshid University of Texas at Austin, Mohit Tiwari University of Texas at Austin DOI | ||
19:20 5mPaper | ICME: An Informed Consent Management Engine for Conformance in Smart Building Environments Demonstrations Chehara Pathmabandu Monash University, John Grundy Monash University, Mohan Baruwal Chhetri CSIRO’s Data61, Zubair Baig Deakin University DOI Media Attached | ||
19:25 5mPaper | CrossVul: A Cross-Language Vulnerability Dataset with Commit Data Demonstrations Georgios Nikitopoulos University of Thessaly, Konstantina Dritsa Athens University of Economics and Business, Panos Louridas Athens University of Economics and Business, Dimitris Mitropoulos University of Athens DOI | ||
19:30 30mLive Q&A | Q&A (Dependability—Vulnerabilities 2) Research Papers |
Fri 27 AugDisplayed time zone: Athens change
07:00 - 08:00 | Dependability—Vulnerabilities 2Demonstrations / Research Papers Chair(s): Ramy Shahin University of Toronto | ||
07:00 10mPaper | Identifying Casualty Changes in Software Patches Research Papers Adriana Sejfia University of Southern California, Yixue Zhao University of Massachusetts at Amherst, Nenad Medvidović University of Southern California DOI Media Attached | ||
07:10 10mPaper | ACHyb: A Hybrid Analysis Approach to Detect Kernel Access Control Vulnerabilities Research Papers Yang Hu The University of Texas at Austin, Wenxi Wang University of Texas at Austin, Casen Hunger University of Texas at Austin, Riley Wood University of Texas at Austin, Sarfraz Khurshid University of Texas at Austin, Mohit Tiwari University of Texas at Austin DOI | ||
07:20 5mPaper | ICME: An Informed Consent Management Engine for Conformance in Smart Building Environments Demonstrations Chehara Pathmabandu Monash University, John Grundy Monash University, Mohan Baruwal Chhetri CSIRO’s Data61, Zubair Baig Deakin University DOI Media Attached | ||
07:25 5mPaper | CrossVul: A Cross-Language Vulnerability Dataset with Commit Data Demonstrations Georgios Nikitopoulos University of Thessaly, Konstantina Dritsa Athens University of Economics and Business, Panos Louridas Athens University of Economics and Business, Dimitris Mitropoulos University of Athens DOI | ||
07:30 30mLive Q&A | Q&A (Dependability—Vulnerabilities 2) Research Papers |