Now Reading
Learnings from kCTF VRP’s 42 Linux kernel exploits submissions

Learnings from kCTF VRP’s 42 Linux kernel exploits submissions

2023-06-15 22:16:32

In 2020, we built-in kCTF into Google’s Vulnerability Rewards Program (VRP) to help researchers evaluating the safety of Google Kubernetes Engine (GKE) and the underlying Linux kernel. Because the Linux kernel is a key part not only for Google, however for the Web, we began closely investing on this space. We prolonged the VRP’s scope and most reward in 2021 (to $50k), then once more in February 2022 (to $91k), and at last in August 2022 (to $133k). In 2022, we additionally summarized our learnings up to now in our cookbook, and launched our experimental mitigations for the most typical exploitation strategies.

On this submit, we would wish to share our learnings and statistics concerning the newest Linux kernel exploit submissions, how efficient our mitigations are in opposition to them, what we do to guard our customers, and, lastly, how we’re altering our program to align incentives to the areas we’re most enthusiastic about.

Learnings and Statistics

Since its inception, this system has rewarded researchers with a complete of 1.8 million USD, and up to now yr, there was a transparent development: 60% of the submissions exploited the io_uring part of the Linux kernel (we paid out round 1 million USD for io_uring alone). Moreover, io_uring vulnerabilities had been utilized in all of the submissions which bypassed our mitigations.


Limiting io_uring

To guard our customers, we determined to restrict the utilization of io_uring in Google merchandise: 

Whereas io_uring brings efficiency advantages, and promptly reacts to safety points with complete safety fixes (like backporting the 5.15 model to the 5.10 secure tree), it’s a pretty new a part of the kernel. As such, io_uring continues to be actively developed, however it’s nonetheless affected by extreme vulnerabilities and in addition supplies robust exploitation primitives. For these causes, we at the moment think about it secure just for use by trusted parts.

See Also


At present, we make vulnerability particulars public on our spreadsheet (which now additionally consists of CVE particulars), and we’ve got summarized totally different exploitation strategies in our cookbook. Sooner or later, to make our efforts extra clear and provides sooner suggestions to the neighborhood, we’ll ask researchers to open-source their submissions, together with the code they used.

Introducing kernelCTF

To raised align incentives with our areas of curiosity, we’re shifting our focus from GKE and kCTF to the most recent secure kernel and our mitigations. Because of this, beginning at present we’ll deal with kernel exploit submissions underneath a brand new identify, “kernelCTF,” with its personal reward structure and submission process. The utmost complete payout for kernelCTF continues to be $133,337 per submission. Whereas the precise GKE kernel configuration continues to be coated by the brand new kernelCTF, exploits affecting non-kernel parts like the total GKE stack (together with Kubernetes), the container runtime, and GKE itself, at the moment are individually eligible for vulnerability rewards underneath the kCTF VRP which is returning to its original reward amounts and conditions.


Our aim stays the identical: we’re constructing a pipeline to research, experiment, measure, and construct safety mitigations to make the Linux kernel as secure as potential, with the assistance of the safety neighborhood. We hope that over time, we will implement safety mitigations that make it harder to take advantage of Linux kernel vulnerabilities.

With the identify change, we’ve got moved our communication channel to #kernelctf on Discord, with a separate #kernelctf-announcements channel. Please be a part of us there for the most recent updates relating to kernelCTF.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top