{"588152":{"#nid":"588152","#data":{"type":"news","title":"Once Overlooked, Uninitialized-Use \u2018Bugs\u2019 May Provide Portal for Hacker Attacks","body":[{"value":"\u003Cp\u003EPopular with programmers the world over for its stability, flexibility and security, Linux now appears to be vulnerable to hackers.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAccording to new Georgia Institute of Technology research, uninitialized variables \u0026shy;\u0026ndash; largely overlooked bugs mostly regarded as insignificant memory errors \u0026ndash; are actually a critical attack vector that can be reliably exploited by hackers to launch privilege escalation attacks in the Linux kernel.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EWhen successful, these intrusions give attackers increasing levels of access to a network\u0026rsquo;s resources.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;While other kernel bugs and vulnerabilities have been examined and remedied, uninitialized-use bugs are not well studied, and to date, no practical defense mechanisms have been developed to protect against these attacks,\u0026rdquo; said Georgia Tech Ph.D. student \u003Ca href=\u0022http:\/\/www.cc.gatech.edu\/~klu38\/\u0022\u003E\u003Cstrong\u003EKangjie Lu\u003C\/strong\u003E\u003C\/a\u003E, lead researcher on the project.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EIn fact, despite potentially dangerous consequences, uninitialized-use bugs are seldom even classified as security vulnerabilities.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ETo prove that these bugs do present a security risk, researchers developed a novel approach, known as targeted stack spraying, to attack the operating system (OS) kernel.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAlong with a technique that occupies large portions of the memory to control the stack, the automated attack probes the stack to find weaknesses that user-mode programs can exploit to direct kernel code paths and leave attacker-controlled data on the kernel stack. Ultimately, the goal of this attack is to reliably control the value of a specific uninitialized variable in the kernel space of a running program.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe research findings confirm that hackers using this method can automatically prepare a malicious pointer in the uninitialized variable. When the malicious pointer is used, a privilege escalation attack targeting the Linux kernel may occur.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Our research shows that utilizing the targeted stack-spraying approach allows attackers to reliably control more than 91 percent of the Linux kernel stack, which, in combination with uninitialized-use vulnerabilities, suffices for a privilege escalation attack,\u0026rdquo; said Lu.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ENot content to merely identify the vulnerability, Lu and his fellow researchers also developed a potential solution to the problem.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Our mitigation approach leverages the fact that uninitialized-use attacks usually control an uninitialized pointer to achieve arbitrary read\/write\/execution,\u0026rdquo; explained Lu. \u0026ldquo;By zero-initializing pointer-type fields that the compiler cannot prove are properly initialized before they are used, we can prevent an adversary from controlling these pointers.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003ETo limit any unnecessary performance overhead related to zero-initializing pointer-type fields, the team developed an intra-procedural program analysis that checks whether a pointer field is properly initialized when it is used. Only uninitialized pointer fields require zero initialization.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EA paper titled \u003Ca href=\u0022https:\/\/www.internetsociety.org\/doc\/unleashing-use-initialization-vulnerabilities-linux-kernel-using-targeted-stack-spraying\u0022\u003E\u003Cem\u003EUnleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying\u003C\/em\u003E\u003C\/a\u003E is being presented this week at the \u003Ca href=\u0022http:\/\/www.internetsociety.org\/events\/ndss-symposium\/ndss-symposium-2017\u0022\u003ENetwork and Distributed System Security Symposium\u003C\/a\u003E being held in San Diego, Calif.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"New Georgia Tech research has determined that simple memory errors in Linux can be reliably exploited by hackers."}],"uid":"32045","created_gmt":"2017-03-01 16:12:01","changed_gmt":"2017-03-02 15:52:40","author":"Ben Snedeker","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2017-03-01T00:00:00-05:00","iso_date":"2017-03-01T00:00:00-05:00","tz":"America\/New_York"},"extras":[],"hg_media":{"588153":{"id":"588153","type":"image","title":"Linux","body":null,"created":"1488384838","gmt_created":"2017-03-01 16:13:58","changed":"1488466627","gmt_changed":"2017-03-02 14:57:07","alt":"","file":{"fid":"224144","name":"Tux.svg_.png","image_path":"\/sites\/default\/files\/images\/Tux.svg_.png","image_full_path":"http:\/\/tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/Tux.svg_.png","mime":"image\/png","size":75551,"path_740":"http:\/\/tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/Tux.svg_.png?itok=00ETSh3H"}}},"media_ids":["588153"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"430601","name":"Institute for Information Security and Privacy"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[{"id":"14116","name":"Linux"},{"id":"173634","name":"vulnerability"},{"id":"1404","name":"Cybersecurity"},{"id":"173635","name":"kangjie lu"},{"id":"173636","name":"ndss"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[{"id":"71881","name":"Science and Technology"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EAlbert Snedeker\u003Cbr \/\u003E\r\nCommunications Manager\u003Cbr \/\u003E\r\nCollege of Computing\u003Cbr \/\u003E\r\n404-844-7128\u003Cbr \/\u003E\r\nalbert.snedeker@cc.gatech.edu\u003C\/p\u003E\r\n","format":"limited_html"}],"email":["albert.snedeker@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}