/kernel-security-learning

Anything about kernel security. CTF kernel pwn, kernel exploit, kernel fuzz and kernel defense paper, kernel debugging technique, kernel CVE debug.

Primary LanguageC

Kernel-Security-Learning

Anything about kernel security. CTF kernel pwn & kernel exploit, kernel fuzz and kernel defense paper & kernel debugging technique & kernel CVE debug.

Keep updating...


1. CTF

  1. linux内核漏洞利用初探(1):环境配置
  2. linux内核漏洞利用初探(2):demo-null_dereference
  3. linux内核漏洞利用初探(3):demo-stack_overflow
  4. 【Linux内核漏洞利用】2018强网杯core_栈溢出
  5. 【Linux内核漏洞利用】CISCN2017-babydriver_UAF漏洞
  6. 【Linux内核漏洞利用】0CTF2018-baby-double-fetch
  7. 【Linux内核漏洞利用】强网杯2018-solid_core-任意读写
  8. 【linux内核漏洞利用】StringIPC—从任意读写到权限提升三种方法
  9. 【linux内核漏洞利用】STARCTF 2019 hackme—call_usermodehelper提权路径变量总结
  10. 【linux内核漏洞利用】WCTF 2018 klist—竞争UAF-pipe堆喷
  11. 【linux内核漏洞利用】TokyoWesternsCTF-2019-gnote Double-Fetch
  12. 【linux内核userfaultfd使用】Balsn CTF 2019 - KrazyNote
  13. linux内核提权系列教程(1):堆喷射函数sendmsg与msgsend利用
  14. linux内核提权系列教程(2):任意地址读写到提权的4种方法
  15. linux内核提权系列教程(3):栈变量未初始化漏洞
  16. 【linux内核漏洞利用】ret2dir利用方法

2. Paper

(1)kernel exploit

  1. 2014-USENIX:ret2dir: Rethinking Kernel Isolation
  2. 2015-CCS:From collision to exploitation_ Unleashing Use-After-Free vulnerabilities in Linux Kernel
  3. 2016-CCS:Prefetch Side-Channel Attacks - Bypassing SMAP and Kernel ASLR
  4. 2016-CCS:Breaking Kernel Address Space Layout Randomization with Intel TSX
  5. 2017-CCS:SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
  6. 2017-NDSS:Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying — 【note
  7. 2018-USENIX:FUZE-Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities — 【note】【tool-FUZE
  8. 2019-USENIX:KEPLER-Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities — 【note】【tool-KEPLER
  9. 2019-CCS:SLAKE-Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel-CCS2019 — 【note】【tool-SLAKE
  10. 2020-USENIX:KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities — 【note】【note2】【tool-KOOBE

(2)kernel vulerability detection

  1. 2012-OSDI:Improving integer security for systems with KINT
  2. 2014-Black Hat:QSEE TrustZone Kernel Integer Overflow
  3. 2014-USENIX:Static Analysis of Variability in System Software - The 90, 000 #ifdefs Issue
  4. 2014-OSDI:SKI:Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration
  5. 2015-SOSP:Cross-checking semantic correctness: The case of finding file system bugs — 【tool-JUXTA
  6. 2016-USENIX:UniSan-Proactive Kernel Memory Initialization to Eliminate Data Leakages — 【note】【tool-unisan
  7. 2016-USENIX:APISan: Sanitizing API Usages through Semantic Cross-Checking — 【tool-apisan
  8. 2017-EUROSYS:DangSan - Scalable Use-after-free Detection — 【tool-dangsan
  9. 2017-USENIX-ATC:CAB-Fuzz:Practical Concolic Testing Techniques for {COTS} Operating Systems
  10. 2017-CCS:DIFUZE-Interface Aware Fuzzing for Kernel Drivers — 【note】【tool-difuze
  11. 2017-USENIX:Digtool- A Virtualization-Based Framework for Detecting Kernel Vulnerabilities-usenix — 【note】【note2】【note3】【note4
  12. 2017-USENIX:How Double-Fetch Situations turn into DoubleFetch — 【note】【tool
  13. 2017-USENIX:DR. CHECKER- A Soundy Analysis for Linux Kernel Drivers — 【tool-dr_checker
  14. 2017-USENIX:kAFL- Hardware-Assisted Feedback Fuzzing for OS Kernels — 【note】【tool-kAFL
  15. 2018-S&P:DEADLINE-Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels — 【note】【note2】【note3】【tool-DEADLINE
  16. 2018-CCS:Check It Again- Detecting Lacking-Recheck Bugs in OS Kernels — 【note】【note2】【tool-LRSan
  17. 2018-USENIX:MoonShine:Optimizing OS Fuzzer Seed Selection with Trace Distillation — 【note】【note2】【tool-moonshine
  18. 2018-NDSS:K-Miner: Uncovering Memory Corruption in Linux — 【note】【note2】【tool-K-Miner
  19. 2019-S&P:Razzer:Finding Kernel Race Bugs through Fuzzing — 【note】【note2】【note3】【tool-razzer
  20. 2019-WOOT-Workshop:Unicorefuzz- On the Viability of Emulation for Kernelspace Fuzzing — 【tool-unicorefuzz
  21. 2019-FSE:Detecting Concurrency Memory Corruption Vulnerabilities — 【tool-CONVUL
  22. 2019-S&P:Fuzzing File Systems via Two-Dimensional Input Space Exploration — 【note】 【note2】【tool-JANUS
  23. 2019-USENIX:Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences — 【tool-CRIX
  24. 2019-USENIX-ATC:Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers — 【note
  25. 2019-NDSS:PeriScope:An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary — 【note】【tool-periscope
  26. 2018-USENIX-ATC:DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules
  27. 2020-TOCS:Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel
  28. 2020-NDSS:HFL: Hybrid Fuzzing on the Linux Kernel — 【note】【note2
  29. 2020-S&P:Krace: Data Race Fuzzing for Kernel File Systems

(3)kernel defense

  1. 2011-NDSS:Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
  2. 2011-NDSS:SigGraph - Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures
  3. 2011-NDSS:Efficient Monitoring of Untrusted Kernel-Mode Execution
  4. 2012-NDSS:Kruiser - Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
  5. 2012-OSDI:Improving Integer Security for Systems with KINT
  6. 2012-S&P:Smashing the Gadgets - Hindering Return-Oriented Programming Using In-place Code Randomization
  7. 2012-USS:Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
  8. 2013-EUROSYS:Process firewalls - protecting processes during resource access
  9. 2013-NDSS:Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring
  10. 2013-S&P:Just-In-Time Code Reuse - On the Effectiveness of Fine-Grained Address Space Layout Randomization
  11. 2014-CCS:A Tale of Two Kernels - Towards Ending Kernel Hardening Wars with Split Kernel
  12. 2014-NDSS:ROPecker - A Generic and Practical Approach For Defending Against ROP Attacks
  13. 2014-OSDI:Jitk - A Trustworthy In-Kernel Interpreter Infrastructure
  14. 2014-S&P:KCoFI - Complete Control-Flow Integrity for Commodity Operating System Kernels
  15. 2014-S&P:Dancing with Giants - Wimpy Kernels for On-Demand Isolated I/O
  16. 2015-NDSS:Preventing Use-after-free with Dangling Pointers Nullification
  17. 2016-NDSS:Enforcing Kernel Security Invariants with Data Flow Integrity
  18. 2016-OSDI:Light-Weight Contexts - An OS Abstraction for Safety and Performance
  19. 2016-OSDI:EbbRT - A Framework for Building Per-Application Library Operating Systems
  20. 2017-EUROSYS:A Characterization of State Spill in Modern Operating Systems
  21. 2017-EUROSYS:kRˆX: Comprehensive Kernel Protection Against Just-In-Time Code Reuseslides
  22. 2017-NDSS:PT-Rand - Practical Mitigation of Data-only Attacks against Page Tables
  23. 2017-S&P:NORAX - Enabling Execute-Only Memory for COTS Binaries on AArch64
  24. 2017-CCS:FreeGuard - A Faster Secure Heap Allocator
  25. 2017-USENIX:Lock-in-Pop - Securing Privileged Operating System Kernels by Keeping on the Beaten Path
  26. 2017-USENIX:Can’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory
  27. 2017-USENIX:Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers
  28. 2019-S&P:LBM - A Security Framework for Peripherals within the Linux Kernel
  29. 2019-S&P:SoK - Shining Light on Shadow Stacks
  30. 2019-S&P:SoK - Sanitizing for Security
  31. 2019-USENIX:PeX: A Permission Check Analysis Framework for Linux Kernel
  32. 2019-USENIX:ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
  33. 2019-USENIX:LXDs - Towards Isolation of Kernel Subsystems
  34. 2019-USENIX:SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization
  35. 2020-S&P:xMP: Selective Memory Protection for Kernel and User Space
  36. 2020-S&P:SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation
other resources:
  1. security things in every version of Linux mainline
  2. PaX code analysis
  3. A Decade of Linux Kernel Vulnerabilities, their Mitigation and Open Problems-2017
  4. linux-kernel-defence-map
  5. The State of Kernel Self Protection-2018

(4) Android

  1. 2020-USEINX:Automatic Hot Patch Generation for Android Kernels—自动给安卓打补丁 【note

3. CVE

  1. Linux kernel 4.20 BPF 整数溢出漏洞分析
  2. 【CVE-2017-16995】Linux ebpf模块整数扩展问题导致提权漏洞分析
  3. 【CVE-2017-7184】Linux xfrm模块越界读写提权漏洞分析

4. Tool


5. Debug & other techniques

  1. linux双机调试
  2. linux内核漏洞利用初探(1):环境配置
  3. 【linux内核调试】SystemTap使用技巧
  4. 【linux内核调试】使用Ftrace来Hook linux内核函数
  5. 【linux内核调试】ftrace/kprobes/SystemTap内核调试方法对比
  6. 【KVM】KVM学习—实现自己的内核

Reference:

linux-security-papers

linux-kernel-exploitation

GoSSIP_Software Security Group