Linux Kernel Security
695 subscribers
1 photo
100 links
Links related to Linux kernel security and exploitation | Chat @linkersec_chat | @xairy @a13xp0p0v
Download Telegram
to view and join the conversation
Kernel Pwning with eBPF: a Love Story by Valentina Palmiotti

The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver by Gyorgy Miru

A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
Linux Security Summit 2021

The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.

I'll be giving a talk about the new MTE-based KASAN mode on the last day.
Two DEF CON talks about eBPF-based rootkits

#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan

Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
Big improvements in my Linux Kernel Defence Map showing:
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
How AUTOSLAB Changes the Memory Unsafety Game

An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.

Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.

By Zhenpeng Lin.
Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak

An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal

Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
Solving the Kernote CTF task from 0CTF/TCTF Final 2021 by Matteo Rizzo

Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
Mitigating Linux kernel memory corruptions with Arm Memory Tagging

Memory tagging is coming to kill all of your favorite Linux kernel exploits.

I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in the YouTube chat during the talk to answer questions.

I've got an idea that can improve the Linux kernel security and safety. It's inspired by the exploit dev practice.

See my patch introducing pkill_on_warn:

It provoked an interesting discussion with the Linux kernel rockstars, including Linus.
How a simple Linux kernel memory corruption bug can lead to complete system compromise

An article by Jann Horn describing an exploit for a locking bug leading to a corrupted reference counter in the TTY subsystem. The article also thoroughly discusses ways to mitigate memory corruption bugs.

The exploit frees a buggy slab object leaving a dangling reference to it, flushes out the page with the object to page allocator, reallocates that page and fills it with a page table, and then corrupts it via the dangling reference to gain write access to the text segment of a setuid binary.
SuDump: Exploiting suid binaries through the kernel

An article by Itai Greenhut covering a logical bug in the Linux kernel coredump generation code.

The researchers failed to find a way to exploit the bug in default distro configurations, but they showed how to gain root privileges on Ubuntu when a user is allowed to run at least one binary as root through sudo.

Exciting to see a logical bug as a change from all those countless memory corruptions.