ChainReactor: Automated Privilege Escalation Chain Discovery via AI Planning

Current academic vulnerability research predominantly focuses on identifying individual bugs and exploits in programs and systems. However, this goes against the growing trend of modern, advanced attacks that rely on a sequence of steps (i.e., a chain of exploits) to achieve their goals, often incorporating individually benign actions. This paper introduces a novel approach to the automated discovery of such exploitation chains using AI planning. In particular, we aim to discover privilege escalation chains, some of the most critical and pervasive security threats, which involve exploiting vulnerabilities to gain unauthorized access and control over systems. We implement our approach as a tool, ChainReactor, that models the problem as a sequence of actions to achieve privilege escalation from the initial access to a target system. ChainReactor extracts information about available executables, system configurations, and known vulnerabilities on the target and encodes this data into a Planning Domain Definition Language (PDDL) problem. Using a modern planner, ChainReactor can generate chains incorporating vulnerabilities and benign actions. We evaluated ChainReactor on 3 synthetic vulnerable VMs, 504 real-world Amazon EC2 and 177 Digital Ocean instances, demonstrating its capacity to rediscover known privilege escalation exploits and identify new chains previously unreported. Specifically, the evaluation showed that ChainReactor successfully rediscovered the exploit chains in the Capture the Flag (CTF) machines and identified zero-day chains on 16 Amazon EC2 and 4 Digital Ocean VMs.