The importance of diverse knowledge in vulnerability research – The transferability of knowledge

Posted on by Allele Security Intelligence in Research

Para acessar este post em português, clique aqui.

To achieve an excellent and high-level career in Information Security, diverse and deep technical knowledge is indispensable. It is crucial to have solid experience with:

  • Network protocols;
  • Computer architecture;
  • Operating systems;
  • Programming languages;
  • Compilers, among other fundamentals.

The professional needs to have a broad range of knowledge. We are talking about high-impact careers, formed by people who work at the forefront of modern technology. Although other qualities are necessary, the focus here resides strictly on the technical aspect.

It is common to hear from those interested in vulnerability research that, despite finding our training interesting, they choose not to enroll because they focus on other systems, such as Windows or macOS. The same occurs with those who aim to work in blue/red/purple teaming, malware analysis, or threat intel. We understand this argument, however, we believe the premise is invalid and, often, dangerous for professional development. We decided to write this blog post precisely to address this issue.

The truth is that, regardless of the specific technical area you pursue, the breadth and depth of your knowledge will determine your professional capability. A solid foundation in diverse areas will allow you to:

  • Identify and understand diverse problems with greater ease;
  • Customize tools and systems for your specific purpose;
  • Find vulnerabilities across a wide range of systems and programming languages;
  • Innovate through the development of new exploitation techniques.

Deep knowledge of operating systems is fundamental for any of these areas, given that the OS is the central component of any computational system. Next, we will present real examples of how this diversity of knowledge directly translates into vulnerability research, demonstrating how skills acquired in one context can be successfully transferred to others.

Windows Exploitation Techniques Based on Linux Techniques

When reflecting on how vulnerability exploitation techniques in one operating system influence and inspire methods in others, it is impossible not to mention the Project Zero blog post [1]. In the context of Linux kernel exploitation, userfaultfd [2] stands out as an extremely interesting feature. This resource offers a critical capability: it allows extending the time between accesses made by the kernel to user-controlled memory (basically, pausing the kernel’s execution). This temporal manipulation is vital for exploiting race conditions and use-after-frees.

However, userfaultfd does not natively exist in Windows. In Linux, when this resource is not available, there are alternatives to achieve the same objective, such as using the FUSE file system.

Inspired by these techniques from the Linux ecosystem, researcher James Forshaw decided to investigate whether Windows possessed analogous capabilities that would allow the same functionality. This case perfectly illustrates the relevance of a researcher following the state of the art in other systems. Forshaw arrived at a technique similar to the one that uses the FUSE file system in Linux. Besides the conceptual inspiration, the mechanism he derived also involves the file system. To achieve this feat, he searched for functionalities in Windows that mirrored the properties of FUSE: allowing the user to control (and delay) access to file system objects.

It is evident, therefore, that in-depth knowledge of an operating system and its exploitation techniques serves as a basis for innovations in other environments. The transferability of knowledge is real in this domain, making the diversity of experiences not only recommended but essential.

Exploiting Browsers Like in the Linux Kernel

Another notable case is the article written by r3tr07a in edition 71 of the prestigious ezine Phrack [3], addressing the exploitation of vulnerabilities in the Chrome browser. In the text, the author highlights that he was inspired by Linux kernel exploitation techniques to develop new attack mechanisms for the browser. Besides producing high-quality content, the author demonstrates possessing advanced experience in both kernel and browsers. In the end, he raises a crucial point that we highlight below:

High-performance allocators tend to share vulnerabilities inherent in their operation and performance.

Allocators are the software components responsible for dynamic memory management. Every operating system implements at least one. However, aiming for performance, it has become common for daily-use software to implement its own managers. Besides browsers, software like Adobe PDF Reader and Flash historically use proprietary allocators, a practice also adopted by various programming languages.

The Go language, for example, uses an allocator inspired by the slab allocator [4], originally developed for the Solaris operating system and today practically ubiquitous in Unix systems. The standard Linux allocator, SLUB, is a direct derivative of this model. As memory management is critical to the system, SLUB is highly optimized and receives constant updates.

One of the vital optimizations in modern allocators is the use of per-cpu variables. This technology is based on an operating system abstraction that grants access to certain variables exclusively to the CPU executing at that moment. Since this abstraction guarantees that there will be no simultaneous access from other cores, complex locking mechanisms can be simplified or even eliminated.

The concept of per-cpu variables is a topic we deeply address in our kernel exploitation training. Today, various allocators make extensive use of this resource.

Therefore, knowledge in memory allocators—whether in kernel or user mode—is essential not only to understand the application’s functioning but for the effective exploitation of vulnerabilities. This is a topic of extremely high transferability: as mentioned, countless applications and operating systems implement their own allocators. Although there are various variations, they share similar purposes and properties, being, most of the time, evolutions of previous, established models.

An iOS Researcher’s Adventure in Android

To reinforce, in a forceful manner, that diverse knowledge can be useful, we cite the blog post [5] by Brandon Azad, a renowned expert in iOS devices.

In the article, Azad describes the development of a high-level exploit for a vulnerability in the Neural Processing Unit (NPU) driver on Samsung Android devices. In his conclusion, the researcher expressed great surprise at the similarities and parallels that emerged during the work, even revisiting concepts from a previous project he had carried out on iOS.

He summarizes his experience with this powerful reflection:

Despite all these differences between the two platforms, I was overall quite surprised with the similarities and parallels that did emerge. Even though the final exploit flow for this NPU bug ended up being quite different, there were many echoes of the oob_timestamp exploit along the way. Thus my past experience developing iOS kernel exploits did in fact help me come up with ideas worth trying on Android, even if most of those ideas didn’t pan out.

Chrome Developer Identifying Bugs in CPUs

A final point of highlight is the work of the acclaimed developer Bruce Dawson, who has worked at companies like Microsoft and Google and maintains the Random ASCII blog [6]. In one of his publications [7], Bruce detailed how he identified a design problem in the Xbox 360 CPU. Although the post is highly instructive, the crucial point for us is in his response on Hacker News [8].

In the thread, a hardware engineer commented that, nowadays, finding a CPU on the market with memory coherence flaws would be a huge mistake. The engineer used the English expression escape to silicon, whose meaning was questioned by another user. Bruce responded, explaining the term, but what truly catches our attention is his subsequent statement: as a Chrome developer, he needs to deal with CPU bugs frequently.

Although this point is not about knowledge transferability between operating systems, it demonstrates the level of technical depth required of a professional who works at the vanguard of technology, on the main browser in the market, validating our initial premise.

This example reinforces that a programmer in cutting-edge technologies today needs to have a comprehensive understanding: both of the product (Chrome) and the technologies involved, as well as the internal functioning of modern processors. Evidently, not all Chrome programmers need to be hardware specialists, but we believe that the benefits far outweigh the drawbacks of possessing this foundational knowledge.

Finally, the term most used to refer to the set of technologies that compose a system is stack (which in English means: a pile of items arranged one upon the others).

No modern technology works in isolation. The more you know about the components that form your stack—from the CPU silicon to the user-mode application—the more complete and valuable professional you will become. It’s not easy, but it is valuable!

Conclusion

The central objective of this post was to challenge the notion that knowledge transferability within the information security field does not exist. We demonstrated that diverse knowledge and the capacity for abstraction are the key to an accurate understanding.

While beginner professionals tend to focus excessively on specific technical details—failing to comprehend the general properties and characteristics of vulnerability classes, exploitation techniques, and technologies—the experienced professional is capable of viewing the details abstractly, independent of the implementation, and replicating the knowledge when and where necessary.

In drawing this distinction, we recall the physicist Wolfgang Pauli, who describes the capacity to generalize from a specific phenomenon:

“knowledge cannot be gained by understanding an isolated phenomenon or a single group of phenomena, even if one discovers some order in them. It comes from the recognition that a wealth of experiential facts are interconnected and can therefore be reduced to a common principle. […] ‘Understanding’ probably means nothing more than having whatever ideas and concepts are needed to recognize that a great many different phenomena are part of coherent whole. Our mind becomes less puzzled once we have recognized that a special, apparently confused situation is merely a special case of something wider, that as a result it can be formulated much more simply. The reduction of a colorful variety of phenomena to a general and simple principle, or, as the Greeks would have put it, the reduction of the many to the one, is precisely what we mean by ‘understanding’. The ability to predict is often the consequence of understanding, of having the right concepts, but is not identical with ‘understanding’.”

Our teaching philosophy is directly aligned with Pauli’s principle. In our training, we focus not only on specific techniques but on dissecting the properties, characteristics, weaknesses, and robustness of implementations. This allows you to understand how things work beyond the lab environment, enabling you to generalize from the specific phenomenon.

Linux is one of the most optimized software and is developed by some of the most renowned developers in the world. Studying it allows you to learn firsthand the highest-level implementations in the market, representing a unique and high-transfer-value learning opportunity.

Our training is led by experienced researchers with decades of experience in vulnerability exploitation. We will soon announce our exclusive online course, delivered in English. Invest in the technical foundation that will transform you into a world-class professional. Stay tuned!

We offer several benefits to ensure your success:

  • World-Class Instructors: Professionals with proven experience in vulnerability exploitation.
  • Exclusive Community: Prior access to our articles and advanced discussions.
  • Flexible Resources: Recorded video lessons for review at any time.
  • Extended Support: Student support for up to 6 months after the training.

References

[1] – Windows Exploitation Tricks: Trapping Virtual Memory Access
https://googleprojectzero.blogspot.com/2021/01/windows-exploitation-tricks-trapping.html

[2] – Userfaultfd
https://docs.kernel.org/admin-guide/mm/userfaultfd.html

[3] – Allocating new exploits – Pwning browsers like a kernel – Digging into PartitionAlloc and Blink engine
https://phrack.org/issues/71/10#article

[4] – Hey linker, can you spare a meg?
https://tailscale.com/blog/go-linker

[5] – An iOS hacker tries Android
https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html

[6] – Random ASCII – tech blog of Bruce Dawson
https://randomascii.wordpress.com

[7] – Finding a CPU Design Bug in the Xbox 360
https://randomascii.wordpress.com/2018/01/07/finding-a-cpu-design-bug-in-the-xbox-360/

[8] – on: Finding a CPU Design Bug in the Xbox 360 (2018)
https://news.ycombinator.com/item?id=27481721