Linux Kernel Exploitation Techniques
Vitaly Nikolenko
Dates
13-15 February 2018Capacity
18Price
3.400,- €Introduction
The number of user-land exploitation countermeasures significantly outweighs the kernel protection mechanisms implemented by most modern distributions. Due to the complexity associated with exploiting user-land vulnerabilities (ASLR, NX, Fortify, RELRO, etc.), Linux kernel, with its huge publicly available codebase, has become an appealing target for exploit developers. A successful exploitation of a kernel vulnerability generally results in privilege escalation bypassing any user-land protections and exploit mitigations implemented by the OS.
This course teachers common kernel exploitation techniques on modern Linux distributions. It is designed for students already familiar with user-land exploitation who want to play with the heart of the OS and gain fundamental knowledge required to develop reliable and effective kernel exploits. Even though this course is designed for beginners in kernel exploitation, a number of more advanced topics, such as reliable exploitation of heap vulnerabilities and SMEP bypasses, are discussed.
Through hands-on exploitation, this course aims to provide the fun, excitement and rewarding experience of getting a # prompt after hours of hard work. There is a “Capture the Flag” contest at the end where you can practice your newly acquired skills in kernel exploitation.
- Key learning objectives
- ret2usr attacks
- Exploiting kernel heap and stack vulnerabilities
- Exploiting out of bounds (OOB) vulnerabilities
- Integer signedness bugs and overflows
- Reliable exploitation of use-after-free (UAF) vulnerabilities
- In-kernel return-oriented programming (ROP)
- Practical SMEP (Supervisor Mode Execution Protection) bypasses
- Prerequisite knowledge
- Familiarity with x86 (_64) architecture
- Linux working proficiency
- C and assembly programming knowledge
- Familiarity with GDB (GNU Debugger)
- Fundamental knowledge of common user-space exploitation techniques (e.g., stack and heap overflows, integer type conversion vulnerabilities and overflows, etc.)
- Hardware/Software requirements
- Base OS: Windows, OS X, Linux
- Ivy Bridge+ CPU (optional)
- At least 20GB of free disk space
- At least 8GB of RAM
- VMWare Workstation (v9+) or Fusion (v5+)
Full agenda
Day 1
- Introduction to Kernel Exploits
- User-space vs kernel-space
- x86(_64) architecture
- User-space processes
- Virtual memory management
- Linux privileges model
- Setting up the debugging environment
- Kernel debugging techniques
- Remote kernel debugging with VMWare and GDB
- Module debugging
- Privilege escalation
- Privilege escalation on modern distributions
- Privilege escalation heuristics
- Introduction to ret2usr attacks
- Arbitrary read/write primitives
- IDT (Interrupt Descriptor Table) overwrites
- Triggering the vulnerability
- Fixating – recovering the kernel state
Day 2
- Information disclosure
- Kernel memory addressing disclosures
- Memory leaks and addr_limit user/kernel boundary
- Controlled, partially-controlled and uncontrolled read/write primitives
- Out of bounds (OOB) access vulnerabilities
- Integer vulnerabilities
- Signedness issues
- Integer overflows
- Kernel stack overflows
Day 3
- Dynamic memory management/SLAB allocator
- Generic SLAB concepts
- Linux SLUB allocator
- Heap vulnerabilities
- Use-after-free (UAF) vulnerabilities
- Overflowing into adjacent objects
- Off-by-[one/X]
- Reliable UAF exploitation on SMP systems
- Kernel return-oriented programming (ROP)
- Bypassing SMEP (Supervisor Mode Execution Protection)
- CTF
Bio
Vitaly is a security researcher specialising in reverse engineering and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on OS security (kernel space exploitation techniques and countermeasures on POSIX systems) and software hypervisors.
Vitaly Nikolenko
