FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities


Wei Wu, University of Chinese Academy of Sciences; Pennsylvania State University; Institute of Information Engineering, Chinese Academy of Sciences; Yueqi Chen, Jun Xu, and Xinyu Xing, Pennsylvania State University; Xiaorui Gong and Wei Zou, University of Chinese Academy of Sciences; Institute of Information Engineering, Chinese Academy of Sciences


Software vendors usually prioritize their bug remediation based on ease of their exploitation. However, accurately determining exploitability typically takes tremendous hours and requires significant manual efforts. To address this issue, automated exploit generation techniques can be adopted. In practice, they however exhibit an insufficient ability to evaluate exploitability particularly for the kernel Use-After-Free (UAF) vulnerabilities. This is mainly because of the complexity of UAF exploitation as well as the scalability of an OS kernel.

In this paper, we therefore propose FUZE, a new framework to facilitate the process of kernel UAF exploitation. The design principle behind this technique is that we expect the ease of crafting an exploit could augment a security analyst with the ability to expedite exploitability evaluation. Technically, FUZE utilizes kernel fuzzing along with symbolic execution to identify, analyze and evaluate the system calls valuable and useful for kernel UAF exploitation.

To demonstrate the utility of FUZE, we implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability and but also diversify working exploits. In addition, we show that FUZE could facilitate security mitigation bypassing, making exploitability evaluation less labor-intensive and more efficient.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217626,
author = {Wei Wu and Yueqi Chen and Jun Xu and Xinyu Xing and Xiaorui Gong and Wei Zou},
title = {{FUZE}: Towards Facilitating Exploit Generation for Kernel {Use-After-Free} Vulnerabilities},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {781--797},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/wu-wei},
publisher = {USENIX Association},
month = aug

Presentation Video 

Presentation Audio