Bonan RUAN (阮博男)

Linux kernel vulnerability reproduction is a critical task in system security. To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed. Most existing research focuses on the generation of PoC, while the construction of environment is overlooked. However, establishing an effective vulnerable environment to trigger a vulnerability is challenging. Firstly, it is hard to guarantee that the selected kernel version for reproduction is vulnerable, as the vulnerability version claims in online databases can occasionally be incorrect. Secondly, many vulnerabilities cannot be reproduced in kernels built with default configurations. Intricate non-default kernel configurations must be set to include and trigger a kernel vulnerability, but less information is available on how to recognize these configurations.

To solve these challenges, we propose a patch-based approach to identify real vulnerable kernel versions and a graph-based approach to identify necessary configs for activating a specific vulnerability. We implement these approaches in a tool, KernJC, automating the generation of vulnerable environments for kernel vulnerabilities. To evaluate the efficacy of KernJC, we build a dataset containing 66 representative real-world vulnerabilities with PoCs from kernel vulnerability research in the past five years. The evaluation shows that KernJC builds vulnerable environments for all these vulnerabilities, 32 (48.5%) of which require non-default configs, and 4 have incorrect version claims in the National Vulnerability Database (NVD). Furthermore, we conduct large-scale spurious version detection on kernel vulnerabilities and identify 128 vulnerabilities that have spurious version claims in NVD. To foster future research, we release KernJC with the dataset in the community.

This talk explores the exploitation of vulnerabilities in container runtimes, focusing on two critical issues: CVE-2019-5736 in runC and CVE-2022-0847 (Dirty Pipe) in the Linux kernel. These vulnerabilities highlight the risks inherent in containerized environments, such as privilege escalation and host compromise, which pose significant threats to modern infrastructure security. The presentation begins with an analysis of Dirty Pipe, a Linux kernel vulnerability that allows unprivileged processes to overwrite data in read-only files, enabling code injection into privileged processes. We demonstrate how this exploit facilitates container escape when combined with the runC vulnerability, which allows attackers to overwrite the runC binary on the host system, achieving root access. Through live demonstrations, we showcase advanced exploitation techniques, including ELF manipulation, memory injection via Dirty Pipe, and stealthy post-exploitation persistence. We also examine practical mitigations, such as hardening runC and kernel-level defenses, to secure containerized environments. This comprehensive analysis provides valuable insights for security researchers and practitioners into detecting, mitigating, and understanding vulnerabilities in container infrastructures.

This talk introduces Metarget, an innovative framework designed for the automatic construction of vulnerable cloud-native environments. By facilitating the deployment of multi-layered, vulnerable infrastructures, Metarget enables researchers and ethical hackers to efficiently simulate complex attack scenarios ranging from container exploitation to cluster-level persistence. The presentation highlights offensive methodologies in cloud-native security, including real-world case studies such as post-penetration attacks against Kubernetes clusters. Using Metarget, we explore vulnerabilities like CVE-2020-15257 and CVE-2020-8559, demonstrating how attackers can achieve lateral movement and full cluster compromise. Additionally, we showcase k0otkit, a post-penetration persistence technique for Kubernetes, emphasizing its role in automating and advancing offensive security research. Through a detailed analysis of offensive strategies, this talk illustrates how tools like Metarget accelerate defensive innovations, paving the way for more robust cloud-native security practices.

This presentation introduces k0otkit, a universal post-penetration control technique for Kubernetes (K8s) clusters. By leveraging Kubernetes-native features such as DaemonSets, Secrets, and container injection, k0otkit provides attackers with rapid, covert, and persistent control over large-scale clusters. This talk explores the evolution of k0otkit through its various iterations, highlighting advancements in stealth, persistence, and efficiency, including the adoption of fileless attack techniques and encrypted communication. The discussion outlines a typical Kubernetes penetration process, emphasizing container escape, privilege escalation, and lateral movement, leading to full cluster control. Through live demonstrations, we showcase how k0otkit exploits Kubernetes vulnerabilities, automates reverse shell deployment, and achieves seamless cluster-wide compromise. Finally, the talk concludes with key defensive strategies to mitigate these risks, including implementing Pod security policies, detecting anomalous container behavior, and protecting against fileless attacks. This comprehensive analysis offers valuable insights for both offensive and defensive Kubernetes security research.