2023 archived version go to current version

Attacking the Linux Kernel

4200€ | 9th to the 12th of October 2023 | Espace Vinci, Rue des Jeuneurs, Paris, France

This training guides researchers through the field of Linux kernel security. In a series of exercise-driven labs, the training explores the process of finding, assessing, and exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture.

Besides providing a foundation for writing Linux kernel exploits, the training covers the no-less important areas of finding kernel bugs and evaluating their security impact. This includes chapters on using and extending dynamic bug-finding tools, writing custom fuzzers, and analyzing crashes.

The training starts with the beginner topics but proceeds into a few advanced areas as well.


Objectives of the training

Security-relevant Linux kernel internals and attack surface.

Usage, internals, and extension of Kernel Address Sanitizer (KASAN).

Writing and evaluating kernel-specific fuzzing harnesses.

Collecting kernel code coverage with KCOV.

Practical usage and basic internals of syzkaller.

Kernel privilege escalation techniques.

In-kernel Return-Oriented Programming (ROP).

KASLR, SMEP, SMAP, and KPTI bypasses.

Exploiting stack, global, and slab (heap) vulnerabilities.

Exploiting use-after-free (UAF) and out-of-bounds (OOB) vulnerabilities.

The trainer

Who will run this training?

Andrey
Konovalov

xairy.io
@andreyknvl

Andrey Konovalov is a security researcher focusing on the Linux kernel.

Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact. Andrey is a contributor to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector, syzkaller — a production-grade kernel fuzzer, and Arm Memory Tagging Extension (MTE) — an exploit mitigation.

Andrey spoke at security conferences such as OffensiveCon, Android Security Symposium, Linux Security Summit, LinuxCon, and PHDays. Andrey also maintains a collection of Linux kernel security–related materials and a channel on Linux kernel security.

See xairy.io for all Andrey's articles, talks, and projects.

Syllabus

What will we do?

Agenda

Day 1 — Internals and Sanitizers
  • Internals and debugging: x86-64 architecture refresher; security-relevant Linux kernel internals and attack surface; types of kernel vulnerabilities; setting up a debugging environment with VMWare; using GDB to debug kernel and its modules.
  • Detecting bugs: using KASAN to detect and analyze memory corruptions; KASAN internals and extension; reading kernel bug reports; assessing impact of kernel bugs.
Day 2 — Fuzzing
  • General fuzzing: writing and evaluating kernel-specific fuzzing harnesses; Human-in-the-Loop fuzzing; collecting kernel code coverage with KCOV; using KCOV remote coverage.
  • Fuzzing with syzkaller: API-aware fuzzing; coverage-guided fuzzing; using syzkaller; writing syscall descriptions.
Day 3 — Exploitation basics
  • Escalating privileges: ret2usr, overwriting cred structure, overwriting modprobe_path; arbitrary address execution and arbitrary address read/write primitives.
  • Bypassing mitigations: KASLR, SMEP, SMAP, and KPTI bypass techniques; in-kernel Return-Oriented Programming (ROP).
  • Exploiting slab corruptions: slab out-of-bounds and use-after-free vulnerabilities; SLUB internals; slab spraying; slab-specific mitigations.
Day 4 — Modern slab exploitation
  • Modern slab exploitation techniques: elastic objects; userfaultfd and FUSE; cross-cache attacks; data-only exploitation.
  • Beyond: learning advanced exploitation techniques; useful references.

Student requirements

  • Working C knowledge.
  • Familiarity with x86-64 architecture and x86-64 assembly.
  • Familiarity with GDB (GNU Debugger).
  • Familiarity with common types of vulnerabilities and exploitation techniques for userspace applications.

No knowledge about Linux kernel internals is required.

Hardware requirements

  • At least 100 GB of free disk space.
  • At least 12 GB of RAM.
  • Ability to plug in an untrusted USB drive (relevant for corporate laptops).

Software requirements

  • Host OS: Linux (recommended) or Windows.
  • VMWare Workstation Player.
  • 7-Zip.

Provided to students

A USB drive with:

  • Presentation slides.
  • Detailed lab guides with step-by-step instructions.
  • Virtual machine images with tools, exercise binaries, and source code.

Other trainings

What else might interest you?

Attacking Instant Messaging Applications

Vectorize (Nitay Artenstein & Iddo Eldor & Jacob Bech)

Binary Literacy 2: Static Analysis of C++ with Hex-Rays

Rolf Rolles

iOS for Security Engineers

Victor Cutillas & Etienne Helluy-Lafont

Offensive Azure AD and hybrid AD security

Dirk-jan Mollema

Practical Baseband Exploitation

Vectorize (Pedro Ribeiro & Seamus Burke)

Software Deobfuscation Techniques

Tim Blazytko

Windows Internals for Security Engineers

Yarden Shafir