Study On Detection And Exploitation Of Uninitialized Use Vulnerability In XNU Kernel

An uninitialized use vulnerability refers to a common mistake that a memory region is accessed before it is initialized.It is often neglected by programmers because it is considered simple and not harmful.XNU is the kernel of macOS and iOS developed by Apple.The security of XNU kernel has a great impact on the security of PC and mobile devices because macOS and iOS are major operating systems in these devices.In this paper,we conduct an in-depth study on how to discover and exploit uninitialized use vulnerabilities in XNU kernel.For vulnerability detection,we firstly analyze the root causes of uninitialized use vulnerabilities and classify uninitialized use vulnerabilities into different subtypes based on our analysis.Secondly,we build a byte-sensitive model for runtime memory regions of a program and a path-sensitive algorithm to update the memory model.By combining the memory model and the algorithm,we propose a byte-sensitive and path-sensitive model to detect uninitialized use vulnerabilities.Lastly,we develop a static analyze tool by implementing the model in the Clang Static Analyzer.For vulnerability exploitation,we firstly analyze the randomization of kernel heap and prove the weakness of randomization in the start address and the allocation sequence of the kernel heap by experiments.Secondly,we fully analyze two uninitialized use vulnerabilities in macOS Sierra.We exploit CVE-2017-2357 to bypass kASLR and exploit CVE-2017-2358 to hijack the kernel's control flow,bypass several modern mitigations and finally compromise macOS Sierra kernel and gain kernel privilege.Lastly,we discuss the ways to eliminate uninitialized use vulnerabilities and the mitigations to reduce to potential damage of exploitations.We apply the static analyze tool to XNU source code(version 4570.1.46)and discover 5unique uninitialized use vulnerabilities.Four of them were fixed in newer versions of XNU but one still exists in the latest XNU source code.We compare our tool with Unisan by analyzing a manually modified XNU source code and the result shows that our tool has higher recall rate(88.00%)but lower precision rate(57.52%).The F1 score is 0.70 and is slightly higher than Unisan.By choosing appropriate exploitation parameters we improve the stability and success rate of the exploitation and we can compromise macOS and gain kernel privilege with the success rate of 94%.