ChainReactor: Automated Privilege Escalation Chain Discovery via AI Planning

Authors: 

Giulio De Pasquale, King's College London and University College London; Ilya Grishchenko, University of California, Santa Barbara; Riccardo Iesari, Vrije Universiteit Amsterdam; Gabriel Pizarro, University of California, Santa Barbara; Lorenzo Cavallaro, University College London; Christopher Kruegel and Giovanni Vigna, University of California, Santa Barbara

Distinguished Artifact Award Winner

Abstract: 

Current academic vulnerability research predominantly focuses on identifying individual bugs and exploits in programs and systems. However, this goes against the growing trend of modern, advanced attacks that rely on a sequence of steps (i.e., a chain of exploits) to achieve their goals, often incorporating individually benign actions. This paper introduces a novel approach to the automated discovery of such exploitation chains using AI planning. In particular, we aim to discover privilege escalation chains, some of the most critical and pervasive security threats, which involve exploiting vulnerabilities to gain unauthorized access and control over systems. We implement our approach as a tool, ChainReactor, that models the problem as a sequence of actions to achieve privilege escalation from the initial access to a target system. ChainReactor extracts information about available executables, system configurations, and known vulnerabilities on the target and encodes this data into a Planning Domain Definition Language (PDDL) problem. Using a modern planner, ChainReactor can generate chains incorporating vulnerabilities and benign actions. We evaluated ChainReactor on 3 synthetic vulnerable VMs, 504 real-world Amazon EC2 and 177 Digital Ocean instances, demonstrating its capacity to rediscover known privilege escalation exploits and identify new chains previously unreported. Specifically, the evaluation showed that ChainReactor successfully rediscovered the exploit chains in the Capture the Flag (CTF) machines and identified zero-day chains on 16 Amazon EC2 and 4 Digital Ocean VMs.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299659,
author = {Giulio De Pasquale and Ilya Grishchenko and Riccardo Iesari and Gabriel Pizarro and Lorenzo Cavallaro and Christopher Kruegel and Giovanni Vigna},
title = {{ChainReactor}: Automated Privilege Escalation Chain Discovery via {AI} Planning},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {5913--5929},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/de-pasquale},
publisher = {USENIX Association},
month = aug
}