Attacking DRM subsystem to gain kernel privilege on Chromebooks === :::info - **Date:** Oct.29th 16:30-17:10 - **Speaker:** Di_Shen - **Category:** Technical - Main Track > Chromebook is one of the most secure laptops so far. It is running the Linux-based Chrome OS as its operation system. Google Chrome team has applied many effective mitigations on Chrome OS and will also release security updates for it every a few weeks.<br>At the beginning of this year, my colleagues planned to build a full exploit chain to achieve code execution on Chromebook remotely and persistently, which is very challenging. I joined their project in middle stage,attempted to find bugs for local privilege escalation in limited time, and finally contributed a kernel vulnerability on Chrome OS to finish the full chain.<br>The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel, exposes an API that user-space programs can use to send commands and data to the GPU, and to perform operations such as configuring the mode setting of the display. Meanwhile,DRM is also an awesome attack surface for attackers to escalate local privilege on Linux.<br>In this talk, I’m going to share the full story of exploiting a new DRM vulnerability on Chrome OS. First, I’ll introduce the implementation of DRM subsystem briefly,and explain why a kernel exploit is helpful for us to bypass some mitigations like ‘Verified Boot’ on Chrome OS. Second, I’ll describe how I found the kernel bug on DRM in very limited time. After that, I’ll show you how to exploit an integer overflow, bypass the annoying mitigation “HARDENED_USERCOPY” in Linux kernel and successfully gain root privilege. At the end there will also be a demonstration of this exploit, as a proof of content. ::: ###### tags: `CODEBLUE2019`,`CODEBLUE`