Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems

The widespread deployment of control-flow integrity has propelled non-control data attacks into the mainstream. In the domain of OS kernel exploits, by corrupting critical non-control data, local attackers can directly gain root access or privilege escalation without hijacking the control flow. As a result, OS kernels have been restricting the availability of such non-control data. This forces attackers to continue to search for more exploitable non-control data in OS kernels. However, discovering unknown non-control data can be daunting because they are often tied heavily to semantics and lack universal patterns. We make two contributions in this paper: (1) discover critical non-control objects in the file subsystem and (2) analyze their exploitability. This work represents the first study, with minimal domain knowledge, to semi-automatically discover and evaluate exploitable non-control data within the file subsystem of the Linux kernel. Our solution utilizes a custom analysis and testing framework that statically and dynamically identifies promising candidate objects. Furthermore, we categorize these discovered objects into types that are suitable for various exploit strategies, including a novel strategy necessary to overcome the defense that isolates many of these objects. These objects have the advantage of being exploitable without requiring KASLR, thus making the exploits simpler and more reliable. We use 18 real-world CVEs to evaluate the exploitability of the file system objects using various exploit strategies. We develop 10 end-to-end exploits using a subset of CVEs against the kernel with all state-of-the-art mitigations enabled.Comment: 14 pages, in submission of the 31th ACM Conference on Computer and Communications Security (CCS), 202

Robust Optical Data Encryption by Projection-Photoaligned Polymer-Stabilized-Liquid-Crystals

The emerging Internet of Things (IoTs) invokes increasing security demands that require robust encryption or anti-counterfeiting technologies. Albeit being acknowledged as efficacious solutions in processing elaborate graphical information via multiple degrees of freedom, optical data encryption and anti-counterfeiting techniques are typically inept in delivering satisfactory performance without compromising the desired ease-of-processibility or compatibility, thus leading to the exploration of novel materials and devices that are competent. Here, a robust optical data encryption technique is demonstrated utilizing polymer-stabilized-liquid-crystals (PSLCs) combined with projection photoalignment and photopatterning methods. The PSLCs possess implicit optical patterns encoded via photoalignment, as well as explicit geometries produced via photopatterning. Furthermore, the PSLCs demonstrate improved robustness against harsh chemical environments and thermal stability, and can be directly deployed onto various rigid and flexible substrates. Based on this, it is demonstrated that single PSLC is apt to carry intricate information, or serve as exclusive watermark with both implicit features and explicit geometries. Moreover, a novel, generalized design strategy is developed, for the first time, to encode intricate and exclusive information with enhanced security by spatially programming the photoalignment patterns of a pair of cascade PSLCs, which further illustrates the promising capabilies of PSLCs in optical data encryption and anti-counterfeiting

Rondo: Scalable and Reconfiguration-Friendly Randomness Beacon

We present Rondo, a scalable and reconfiguration-friendly distributed randomness beacon (DRB) protocol in the partially synchronous model. Rondo is the first DRB protocol that is built from batched asynchronous verifiable secret sharing (bAVSS) and meanwhile avoids the high $O(n^3)$ message cost, where $n$ is the number of nodes. Our key contribution lies in the introduction of a new variant of bAVSS called batched asynchronous verifiable secret sharing with partial output (bAVSS-PO). bAVSS-PO is a weaker primitive than bAVSS but allows us to build a secure and more efficient DRB protocol. We propose a bAVSS-PO protocol Breeze. Breeze achieves the optimal $O(n)$ messages for the sharing stage and allows Rondo to offer better scalability than prior DRB protocols. Additionally, to support the reconfiguration, we introduce Rondo-BFT, a dynamic and partially synchronous Byzantine fault-tolerant protocol inspired by Dyno (S&P 2022). Unlike Dyno, Rondo-BFT provides a communication pattern that generates randomness beacon output periodically, making it well-suited for DRB applications. We implement our protocols and evaluate the performance on Amazon EC2 using up to 91 instances. Our evaluation results show that Rondo achieves higher throughput than existing works and meanwhile offers better scalability, where the performance does not degrade as significantly as $n$ grows

Genome Characterization and Phylogenetic Analysis of Bovine Hepacivirus in Inner Mongolia, Northeastern China

Bovine hepacivirus (BovHepV) is a new member of the genus Hepacivirus in the family Flaviviridae , which has been detected in cattle in more than seven countries. The purpose of this study was to identify and genetically characterize BovHepV in cattle in Inner Mongolia, northeastern (NE) China. A total of 116 serum samples from cattle were collected from HulunBuir in Inner Mongolia from April to May, 2021, and were divided into three pools for metagenomic sequencing. The samples were verified with semi-nested RT-PCR with primers based on the BovHepV sequences obtained from metagenomic sequencing. The complete genomes of BovHepV were amplified, and were used for genome characterization and phylogenetic analysis. BovHepV was detected in two pools through metagenomic sequencing. Five BovHepV positive samples were identified in Yakeshi of HulunBuir, thus indicating a prevalence of 8.8% (5/57). Two 8840 nucleotide long BovHepV strains YKS01/02 were amplified from the positive samples and showed 79.3%–91.9% nucleotide sequence identity with the discovered BovHepV strains. Phylogenetic analysis classified the YKS01/02 strains into BovHepV subtype G group. This study reports the first identification of BovHepV in cattle in northeastern China, and expands the known geographical distribution and genetic diversity of BovHepV in the country

Vacancy-Mediated Magnetism in Pure Copper Oxide Nanoparticles

Room temperature ferromagnetism (RTF) is observed in pure copper oxide (CuO) nanoparticles which were prepared by precipitation method with the post-annealing in air without any ferromagnetic dopant. X-ray photoelectron spectroscopy (XPS) result indicates that the mixture valence states of Cu1+ and Cu2+ ions exist at the surface of the particles. Vacuum annealing enhances the ferromagnetism (FM) of CuO nanoparticles, while oxygen atmosphere annealing reduces it. The origin of FM is suggested to the oxygen vacancies at the surface/or interface of the particles. Such a ferromagnet without the presence of any transition metal could be a very good option for a class of spintronics