To minimize the damage of kernel vulnerabilities to our daily lives, one straightforward solution is to have kernel developers and security analysts immediately patch all the bugs and vulnerabilities that have been reported through bug bounty programs or other channels. However, in practice, it is very rare that a development/security team has sufficient resources to address each of the bugs in a timely fashion. For example, my observation from Linux community discovers that syzbot has reported more than 800 distinct kernel bugs in eight months, and the remediation cycle for these bugs significantly vary, ranging from a single day to more than half a year.
Considering the lack of manpower in sifting through each software bug timely, recently, software vendors such as Microsoft and Ubuntu come up with various strategies for prioritizing their remediation work. Of all of those strategies, remediation prioritization with exploitability is the most common one, which assesses a software bug based on ease of its exploitation. However, it is challenging and oftentimes infeasible for a software developer (or a security analyst) to craft a working exploit and thus assess exploitability for a real-world bug or vulnerability.
In this talk, I will introduce a new exploitation framework to facilitate the development of exploits for kernel vulnerabilities. Technically speaking, our framework utilizes a kernel fuzzing technique to diversify the contexts of a kernel panic and then leverages symbolic execution to explore exploitability.