Scribd
Upload
231 views24 pages

BSidesLJ GuideToLinuxKernelExploitation

This document is a guide to Linux kernel exploitation, detailing its use by threat actors, pentesters, and developers. It covers the kernel's structure, exploitation goals, attack surfaces, setup for exploitation, and various types of bugs and mitigations. Additionally, it discusses advanced topics like side-channel attacks and fuzzing tools for kernel security testing.

Uploaded by

hifegeh126
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
231 views24 pages

BSidesLJ GuideToLinuxKernelExploitation

This document is a guide to Linux kernel exploitation, detailing its use by threat actors, pentesters, and developers. It covers the kernel's structure, exploitation goals, attack surfaces, setup for exploitation, and various types of bugs and mitigations. Additionally, it discusses advanced topics like side-channel attacks and fuzzing tools for kernel security testing.

Uploaded by

hifegeh126
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Guide to Linux kernel

exploitation
Ivor Canjuga
# whoami

Twitter: @santaclzz

Undergrad student at FERI, University of Maribor

CTF player / challenge creator

Intern at Viris
Why this presentation

To challenge myself

To share knowledge
Jk
To get a ticket before others :)
Kernel exploits: where are they used

Threat actors: to escalate privileges

Pentesters: to demonstrate impact

Defenders: coming up with detections and mitigations

Kernel / driver developers: to write patches

Android / iOS superusers: to customize their phone


Linux kernel oversimplified
Layer between user applications and HW

Manages CPU, memory, devices,

file system, networking, process control…

Complex project with over 8 million lines of code

Still evolving
https://en.wikipedia.org/wiki/Kernel_(operating_system)
Differences from userspace
More instructions

More registers

More patience

Resources are shared

Bugs are the same


Goal of exploitation
Get root

Escape docker / k8 container

Escape seccomp / sandbox

Persistence / stealth
Goal of exploitation
commit_creds(prepare_kernel_cred(0))

current->thread_info.flags &= ~(1 << TIF_SECCOMP)

run_cmd(“/path_to_command”)
Attack surface
Kernel modules - read, write, ioctl

Syscalls - 398 syscalls

File system

Network drivers

USB device
Setup
Build the Linux kernel with debug symbols

a. git clone https://github.com/torvalds/linux

b. cd linux && make defconfig && make menuconfig

c. Ensure that kernel hacking --> Compile-time checks and compiler options -->
Compile the kernel with debug symbols is checked.

d. make
Setup
filesystem

busybox

qemu

gdb
Debug (gdb) b *0x401d05

From userspace
From kernelspace
Symbols in /proc/kallsyms

-s Shorthand for -gdb tcp::1234, i.e. open a gdbserver on TCP port 1234.
Shellcode
Write kernel module

Compile it

Reverse engineer it

objdump -M intel -d test.ko


Bugs
Race conditions everywhere 🚨
modules

syscalls
Kernel Heap
SLOB, SLUB, SLAB allocator

kmalloc() and vmalloc()

kfree(), vfree() and kvfree()


https://sam4k.com/linternals-memory-allocators-0x02/
Heap exploitation
Double Free, Use After Free, Heap Overflow

1) Find struct with the “same” size


2) See what you can do with it
3) Spray the heap
Mitigations
KASLR, FG-KASLR

Kernel Stack Canary

SMEP - Execution Protection, cr4

SMAP - Access Protection, cr4

KPTI - isolated page tables

https://github.com/a13xp0p0v/linux-kernel-defence-map
Ret2user
Bypass everything

Return to userland

syscall call

swapgs leave

iretq ret
Side channel attacks
spectre & meltdown

still not seen in the wild

/proc/cpuinfo
Fuzzing
KCOV

KASAN

AFL

Syzkaller

Syzbot

Buzzer - eBPF
References
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

https://sam4k.com/linternals-memory-allocators-0x02/

https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/

https://seal9055.com/blog/kernel/return_oriented_programming

https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/kernel-page-table-isolation-kpti#kpti-trampoline

https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628

https://pwn.college/system-security/kernel-security

https://github.com/google/syzkaller/

https://research.nccgroup.com/2018/09/11/ncc-groups-exploit-development-capability-why-and-what/

https://lwn.net/Articles/824307/

https://meltdownattack.com/meltdown.pdf

You might also like