Hunting Kernel Exploits with JANUS

Worldwide, the number of devices per person is increasing. The statistic we found shows that the number of devices per person is expected to be 6.58, a total of about 50 billion devices in 2020. These devices are controlled by the OS, and each OS supports various file systems. Therefore, a filesystem vulnerability can be a fatal vulnerability for multiple OSs that support this filesystem, which can threaten devices around the world. This led us to start researching how many threats to multiple OSs can be made using a single filesystem vulnerability.

Filesystems have several limitations, which are quite large because they have at least 50,000 lines of code. If you want to look for vulnerabilities requires a deep understanding of the filesystem’s codebase like you have to understand every single line of code. In this presentation, we will explain the structure and feature of the filesystem and discuss some of the limits of using this filesystem as an attack surface.

We will explain how to get a crash on the filesystem and briefly introduce the JANUS fuzzer we used and explain the process of porting JANUS to the latest kernel version.

Using JANUS, we found 16 unique vulnerabilities allowing R/W primitive attacks and Kernel control flow hijacking in three filesystems (all vulnerabilities we found have been reported, and some are still awaiting patches). We have also created a new crash-proof triage program and a filesystem fuzzing monitor program that we will introduce together in this presentation.

Location: Track 2 Date: April 23, 2020 Time: 5:30 pm - 6:30 pm Donghee Kim WonYoung Jung HeoungJin Jo SeungPyo Hong