March/April updates

author: Andrey Konovalov 2023-05-01 22:37:21 +0200
committer: Andrey Konovalov 2023-05-01 22:37:21 +0200
commit: 5ec0dd2837113e9199b76006391ff8e50c60425c (patch)
tree: 66d304a1511cee46f0315df4000b09b922993c12
parent: 3c04e1d76be5b83cf7a15ccab97f7afe78f29da4 (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/README.md b/README.md
index 77f0dab..0320473 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Exploitation
+[2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi](https://conference.hitb.org/hitbsecconf2023ams/materials/D2%20COMMSEC%20-%20The%20Return%20of%20Stack%20Overflows%20in%20the%20Linux%20Kernel%20-%20Davide%20Ornaghi.pdf) [slides]
 [2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html)
 [2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper]
@@ -110,6 +112,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article]
+[2019: "Linux Kernel: the ROP Exploit of Stack Overflow in Android Kernel"](https://medium.com/@knownsec404team/linux-kernel-the-rop-exploit-of-stack-overflow-in-android-kernel-87aa8eda770d) [article]
 [2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)]
 [2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing](http://personal.psu.edu/yxc431/publications/SLAKE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/SLAKE.pdf)]
@@ -219,6 +223,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Protection Bypasses
+[2023: "Linux Kernel: Spectre v2 SMT mitigations problem" by Eduardo Vela](https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx) [article]
 [2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data"](https://i.blackhat.com/USA-22/Thursday/US-22-Frigo-A-Dirty-Little-History.pdf) [slides]
 [2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article]
@@ -326,8 +332,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### LPE
+[2023: "Pwning Pixel 6 with a leftover patch" by Man Yue Mo](https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/) [article] [GHSL-2023-005]
+[2023: "Revisiting CVE-2017-11176" by Nils Ole Timm](https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176) [article] [CVE-2017-11176]
+[2023: "Rooting the FiiO M6" by Jack Maginnes](https://stigward.github.io/posts/fiio-m6-kernel-bug/) [article] [[part 2](https://stigward.github.io/posts/fiio-m6-exploit/)]
+[2023: "Exploiting CVE-2021-3490 for Container Escapes" by Karsten Kyonig](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/) [article] [CVE-2021-3490]
 [2023: "Pwning the all Google phone with a non-Google bug"](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/) [article] [CVE-2022-38181]
+[2022: "CVE-2022-22265: Samsung NPU device driver double free in Android" by Xingyu Jin](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22265.html) [article] [CVE-2022-22265]
 [2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez](https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/) [article] [CVE-2022-32250]
 [2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins](https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html) [article] [CVE-2022-42703]
@@ -787,10 +803,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ## Finding Bugs
+[2023: "Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis"](https://www.cs.columbia.edu/~gabe/files/oakland2023_pla.pdf) [paper]
 [2023: "No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions"](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f688_paper.pdf) [paper]
 [2023: "FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules"](https://www.usenix.org/system/files/sec23summer_190-angelakopoulos-prepub.pdf) [paper]
+[2022: "Event-based Fuzzing, Patch-based Research, and Comment Police: Finding Bugs Through a Bug"](https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-LiYang-Event-based-Fuzzing-Patch-based.pdf) [slides] [[video](https://www.youtube.com/watch?v=mPiv0eZlx9w)]
 [2022: "Breaking the Glass Sandbox - Find Linux Kernel Bugs and Escape" by Valentina Palmiotti at REcon](https://cfp.recon.cx/media/2022/submissions/EVBN3B/resources/recon_7TKNBIm.pdf) [slides] [[video](https://www.youtube.com/watch?v=2R46lJsOOTE)]
 [2022: "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools" by Andrey Konovalov](https://docs.google.com/presentation/d/1qA8fqRDHKX_WM_ZdDN37EQQZwSTNJ4FFws82tbUSKxY/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=KmFVPyHyfqQ)] [[article](https://lwn.net/Articles/909245/)]
@@ -873,6 +893,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov](https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf) [slides] [[video](https://www.youtube.com/watch?v=ufcyOkgFZ2Q)]
+[2020: "UBITect: A Precise and Scalable Method to Detect Use-before-Initialization Bugs in Linux Kernel"](https://dl.acm.org/doi/pdf/10.1145/3368089.3409686) [paper]
 [2020: "RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization"](https://nebelwelt.net/files/20Oakland.pdf) [paper] [[tool](https://github.com/HexHive/RetroWrite)]
 [2020: "Fuzzing a Pixel 3a Kernel with Syzkaller" by senyuuri](https://blog.senyuuri.info/2020/04/16/fuzzing-a-pixel-3a-kernel-with-syzkaller/) [article]
@@ -1016,8 +1038,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
+[2023: "Mobile Exploitation - The past, present, and the future" by Ki Chan Ahn](https://github.com/externalist/presentations/blob/master/2023%20Zer0con/Mobile%20Exploitation%2C%20the%20past%2C%20present%2C%20and%20future.pdf) [slides]
 [2023: "Bounded Flexible Arrays in C" by Kees Cook](https://people.kernel.org/kees/bounded-flexible-arrays-in-c) [article]
+[2022: "Survey of security mitigations and architectures, December 2022" by Saar Amar](https://saaramar.github.io/memory_safety_blogpost_2022/) [article]
 [2022: "Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse" by Mathias Krause](https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse) [article] [[reference exploits](https://github.com/opensrcsec/same_type_object_reuse_exploits)]
 [2022: "Making Linux Kernel Exploit Cooking Harder"](https://security.googleblog.com/2022/08/making-linux-kernel-exploit-cooking.html) [article] [[reference exploits](https://docs.google.com/document/d/1a9uUAISBzw3ur1aLQqKc5JOQLaJYiOP5pe_B4xCT1KA/edit?usp=sharing)] [[proposed mitigations](https://github.com/thejh/linux/blob/slub-virtual/MITIGATION_README)]
@@ -1312,6 +1338,8 @@ https://github.com/SmoothHacker/LateRegistration
 https://github.com/sslab-gatech/janus
+https://github.com/google/buzzer
 ### Assorted
@@ -1385,6 +1413,10 @@ https://github.com/marin-m/vmlinux-to-elf
 [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs)
+HackTheBox (knote): [writeup](https://pwning.tech/knote/)
+BFS Ekoparty 2022 (blunder): [writeup](https://klecko.github.io/posts/bfs-ekoparty-2022/)
 D^3CTF 2022 (d3bpf): [writeup](https://stdnoerr.github.io/writeup/2022/08/21/eBPF-exploitation-(ft.-D-3CTF-d3bpf).html), [writeup 2](https://github.com/chujDK/d3ctf2022-pwn-d3bpf-and-v2)
 zer0pts CTF 2022 (kRCE): [writeup](https://www.willsroot.io/2022/03/zer0pts-ctf-2022-krce-writeup.html)
@@ -1588,3 +1620,5 @@ https://kernel.dance/
 https://github.com/0xricksanchez/like-dbg
 https://github.com/ameetsaahu/Kernel-exploitation
+https://github.com/cmu-pasta/linux-kernel-enriched-corpus
author	Andrey Konovalov	2023-05-01 22:37:21 +0200
committer	Andrey Konovalov	2023-05-01 22:37:21 +0200
commit	5ec0dd2837113e9199b76006391ff8e50c60425c (patch)
tree	66d304a1511cee46f0315df4000b09b922993c12
parent	3c04e1d76be5b83cf7a15ccab97f7afe78f29da4 (diff)