The LinuxSecurity team thanks Horacio Zambrano for contributing this article.
Enterprises using Linux for their cloud or data center servers may be faced with a larger threat from advanced security attackers in the near future. Based on the Linux Foundation’s estimates back in 2014, 75% of enterprises reported using Linux for the cloud and 79% for application deployments.
In mid-August this year, Mr. Wei Wu, an academic from the Chinese Academy of Sciences and Pennsylvania State University, unveiled an automated technique for generating ROP chain exploits against the Linux kernel at the 24th annual USENIX Security Symposium. The technique utilized, known as KEPLER, enables the operator to automatically evaluate “control flow hijackable” CVE’s to generate tens of thousands of exploit chains, a necessary ingredient for the creation of full ROP chain attacks. Of 19 CVEs evaluated, KEPLER was successful in automating the creation of exploit chains for 17 of them, vastly surpassing existing tools.
Mr. Wu is opening up KEPLER to the open source community in the hopes that it helps white hats better prioritize and secure the Linux kernel over time. Until effective defenses are deployed, however, some see this as added risk.
“This will lead to an acceleration in the number of sophisticated attacks on the Linux kernel given the velocity with which ROP attacks can be created with it.” said Brad Spengler, CEO of Open Source Security, providers of kernel ROP defense patches known as Grsecurity. “It took Google one week to build a proof-of-concept for a zero-day vulnerability it disclosed this past September, and this tool can find its first ROP chain gadget in under an hour,” he added.
While Mr. Wu’s work was released as an open-source tool for the positive evaluation of control flow hijackable vulnerabilities in the Linux kernel, malicious actors may also use it to advance their sophisticated exploit efforts. ROP attacks, which stand for return-oriented programming attacks, manipulate pointers in memory and at their worst can lead to hackers remotely controlling a server or computer. Also known as “code reuse attacks” in some circles, ROP attacks require the discovery of small snippets of code, or ROP “gadgets”, to become reality. While the growing prevalence of these attacks has been well documented in the past decade, ROP attacks require pain staking trial and error and reverse engineering work, making them less common than other threats.
“When executed against the kernel as opposed to a user space application, they are doubly insidious,” claims Mr. Spengler, “Malicious actors can easily erase their tracks to become untraceable, escalate their privilege and disable additional security.”
What should enterprises running Linux do to protect themselves? As Mr. Wu notes at the end of his presentation, the only way to prevent a ROP chain attack or similar memory corruption exploit is through the use of kernel Control Flow Integrity (CFI). Interestingly enough, Google just announced an improvement of the built-in kernel-level CFI capabilities in Android last week.
Contributing Author Bio:
Horacio Zambrano is the Founder and CEO at Synchrony Group, a research and advisory firm in the cybersecurity market. He is a former Wall Street analyst covering Information Security and has been a product and marketing executive at Cisco, Juniper Networks and other Silicon Valley start-ups. He currently consults in the area of cybersecurity marketing.