A Kernel Information Leakage Detecting Solution Based On Symbolic Taint Execution

Kernel information leakage still threat the operating system.It helps defeat the widely used migration mechanism–k ASLR.While the whole-system emulation based kernel information leakage detection systems found dozens of such vulnerabilities in past decade.Many new report shows kernel information leakage not dead.Past detection solutions focus on the primitive which is related to uninitialized data in kernel memory.We introduce a new primitive of kernel information leakage vulnerability.In this thesis,we present a kernel information detection system,Leak Harvest,which use static symbolic execution to detect the vulnerabilities.We design a new symbolic taint execution model for the new vulnerability primitive.Leak Harvest get all kernel pointer references in kernel code binaries and check if a kernel-to-user writing.For each kernel-to-user writing,it gets the access pattern of the pointers.The access patterns are mapped to related function.While symbolic execution running,function calls according to kernel-to-user writing convert to a sensitive buffer accessing.We generate such buffer by information given by code slicing technology.Our method found a re-introduced vulnerability on Windows in June2020.The vulnerability was confirmed by Microsoft and we won acknowledgement from the vendor.