Discovering, characterizing and exploiting controllable-copy objects for kernel data-only attacks with CopyKat

J. Koschel, A. Mambretti, A. Sorniotti, P. Moretto, C. Migliorelli, A. Di Dio, C. Giuffrida, A. Kurmus

Modern kernel hardening mechanisms considerably reduce the viability of control-flow hijacking attacks, prompting attackers to shift their focus to data-only attacks. These attacks depend on corrupting non-control data to amplify limited memory-corruption primitives into more powerful capabilities such as arbitrary writes. Prior work has identified small sets of such objects in specific circumstances. However, no existing approach discovers and characterizes them at scale. In this paper, we introduce CopyKat, a fully automated pipeline for identifying and characterizing Controllable-Copy Objects (CCOs): heap-allocated kernel structures whose fields can be corrupted to redirect a store or memory-transfer operation involving attacker-controlled data. We propose a multi-stage methodology with progressive filtering of objects. Through lightweight taint-analysis applied to a fuzzing campaign, we uncover candidate CCOs. Then, we confirm such taint by using a precise taint engine, thereby enhancing our precision. Finally, we perform the corruption of the CCO using a concolic execution engine to verify the controllability of the object. We also collect the necessary path and value constraints for exploitation. We find 122 verified CCOs and build 8 end-to-end exploits involving different exploitation patterns, showcasing the correctness of our characterization and the flexibility of the discovered objects.