diff options
| author | Andrey Konovalov | 2018-02-07 21:03:26 +0100 |
|---|---|---|
| committer | GitHub | 2018-02-07 21:03:26 +0100 |
| commit | 2851b23d350ffe34d40c2185f012aa1308697301 (patch) | |
| tree | 7040f329220cb8d0c1a765f42678a36af9266a48 /README.md | |
| parent | 059100a0c7519e11215da7830dc33ca8a730d447 (diff) | |
Update README.md
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 26 |
1 files changed, 24 insertions, 2 deletions
| @@ -14,6 +14,10 @@ Pull requests are welcome. | |||
| 14 | 14 | ||
| 15 | [2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.youtube.com/watch?v=nqF_IjXg_uM) [video] | 15 | [2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.youtube.com/watch?v=nqF_IjXg_uM) [video] |
| 16 | 16 | ||
| 17 | [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides] | ||
| 18 | |||
| 19 | [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/Riscure_Whitepaper_Escalating_Privileges_in_Linux_using_Fault_Injection.pdf) [whitepaper] | ||
| 20 | |||
| 17 | [2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf) [whitepaper] | 21 | [2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf) [whitepaper] |
| 18 | 22 | ||
| 19 | [2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko](https://www.youtube.com/watch?v=UFakJa3t8Ls) [video] | 23 | [2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko](https://www.youtube.com/watch?v=UFakJa3t8Ls) [video] |
| @@ -24,6 +28,8 @@ Pull requests are welcome. | |||
| 24 | 28 | ||
| 25 | [2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying"](https://www.internetsociety.org/sites/default/files/ndss2017_09-2_Lu_paper.pdf) [whitepaper] | 29 | [2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying"](https://www.internetsociety.org/sites/default/files/ndss2017_09-2_Lu_paper.pdf) [whitepaper] |
| 26 | 30 | ||
| 31 | [2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim](https://www.coresecurity.com/system/files/publications/2016/05/CSW2016%20-%20Getting%20Physical%20-%20Extended%20Version.pdf) [slides] | ||
| 32 | |||
| 27 | [2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article] | 33 | [2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article] |
| 28 | 34 | ||
| 29 | [2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/) [article] | 35 | [2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/) [article] |
| @@ -104,6 +110,8 @@ Pull requests are welcome. | |||
| 104 | 110 | ||
| 105 | [2017: "Exploiting CVE-2017-5123" by Federico Bento](https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/) [article, CVE-2017-5123] | 111 | [2017: "Exploiting CVE-2017-5123" by Federico Bento](https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/) [article, CVE-2017-5123] |
| 106 | 112 | ||
| 113 | [2017: "Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira](https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/) [article, CVE-2017-5123] | ||
| 114 | |||
| 107 | [2017: "Exploiting on CVE-2016-6787"](https://hardenedlinux.github.io/system-security/2017/10/16/Exploiting-on-CVE-2016-6787.html) [article, CVE-2016-6787] | 115 | [2017: "Exploiting on CVE-2016-6787"](https://hardenedlinux.github.io/system-security/2017/10/16/Exploiting-on-CVE-2016-6787.html) [article, CVE-2016-6787] |
| 108 | 116 | ||
| 109 | [2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov](https://www.youtube.com/watch?v=g7Qm0NpPAz4) [video, CVE-2017-2636] | 117 | [2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov](https://www.youtube.com/watch?v=g7Qm0NpPAz4) [video, CVE-2017-2636] |
| @@ -202,8 +210,6 @@ Pull requests are welcome. | |||
| 202 | 210 | ||
| 203 | [2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk](http://invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf) [article, CVE-2010-2240] | 211 | [2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk](http://invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf) [article, CVE-2010-2240] |
| 204 | 212 | ||
| 205 | [2010: "Some Notes on CVE-2010-3081 Exploitability"](https://blog.nelhage.com/2010/11/exploiting-cve-2010-3081/) [article, CVE-2010-3081] | ||
| 206 | |||
| 207 | [2010: "CVE-2010-4258: Turning Denial-of-service Into Privilege Escalation" by Nelson Elhage](https://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc/) [article, CVE-2010-4258] | 213 | [2010: "CVE-2010-4258: Turning Denial-of-service Into Privilege Escalation" by Nelson Elhage](https://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc/) [article, CVE-2010-4258] |
| 208 | 214 | ||
| 209 | [2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage](https://blog.nelhage.com/2010/02/cve-2007-4573-the-anatomy-of-a-kernel-exploit/) [article, CVE-2007-4573] | 215 | [2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage](https://blog.nelhage.com/2010/02/cve-2007-4573-the-anatomy-of-a-kernel-exploit/) [article, CVE-2007-4573] |
| @@ -216,6 +222,10 @@ Pull requests are welcome. | |||
| 216 | 222 | ||
| 217 | [2010: "linux compat vulns (part 2)" by Ben Hawkes](http://inertiawar.com/compat2/) [article, CVE-2010-3301] | 223 | [2010: "linux compat vulns (part 2)" by Ben Hawkes](http://inertiawar.com/compat2/) [article, CVE-2010-3301] |
| 218 | 224 | ||
| 225 | [2010: "Some Notes on CVE-2010-3081 Exploitability"](https://blog.nelhage.com/2010/11/exploiting-cve-2010-3081/) [article, CVE-2010-3081] | ||
| 226 | |||
| 227 | [2010: "Anatomy of an exploit: CVE-2010-3081"](https://blogs.oracle.com/ksplice/anatomy-of-an-exploit%3a-cve-2010-3081) [article, CVE-2010-3081] | ||
| 228 | |||
| 219 | [2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage](https://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc/) [article, CVE-2010-4258] | 229 | [2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage](https://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc/) [article, CVE-2010-4258] |
| 220 | 230 | ||
| 221 | [2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)"](http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html) [article, CVE-2009-2692] | 231 | [2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)"](http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html) [article, CVE-2009-2692] |
| @@ -277,6 +287,8 @@ Pull requests are welcome. | |||
| 277 | 287 | ||
| 278 | ## Defensive | 288 | ## Defensive |
| 279 | 289 | ||
| 290 | [2018, Linux Conf AU: "The State of Kernel Self Protection" by Kees Cook](https://outflux.net/slides/2018/lca/kspp.pdf) [slides] | ||
| 291 | |||
| 280 | [2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [whitepaper] | 292 | [2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [whitepaper] |
| 281 | 293 | ||
| 282 | [2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel"](https://events.linuxfoundation.org/sites/events/files/slides/nakamura_20170831_1.pdf) [slides] | 294 | [2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel"](https://events.linuxfoundation.org/sites/events/files/slides/nakamura_20170831_1.pdf) [slides] |
| @@ -297,6 +309,8 @@ Pull requests are welcome. | |||
| 297 | 309 | ||
| 298 | [2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis](http://www.cs.columbia.edu/~angelos/Papers/theses/vpk_thesis.pdf) [whitepaper] | 310 | [2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis](http://www.cs.columbia.edu/~angelos/Papers/theses/vpk_thesis.pdf) [whitepaper] |
| 299 | 311 | ||
| 312 | [2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus](https://publikationsserver.tu-braunschweig.de/servlets/MCRFileNodeServlet/digibib_derivate_00036154/Diss_Kurmus_Anil.pdf) [whitepaper] | ||
| 313 | |||
| 300 | [2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler](https://forums.grsecurity.net/viewtopic.php?f=7&t=3367) [article] | 314 | [2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler](https://forums.grsecurity.net/viewtopic.php?f=7&t=3367) [article] |
| 301 | 315 | ||
| 302 | [2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat](https://access.redhat.com/articles/20484) [article] | 316 | [2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat](https://access.redhat.com/articles/20484) [article] |
| @@ -306,6 +320,8 @@ Pull requests are welcome. | |||
| 306 | 320 | ||
| 307 | ## Fuzzing & detectors | 321 | ## Fuzzing & detectors |
| 308 | 322 | ||
| 323 | [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] | ||
| 324 | |||
| 309 | [2017, Black Hat USA: "Evolutionary Kernel Fuzzing" by Richard Johnson](https://moflow.org/Presentations/Evolutionary%20Kernel%20Fuzzing-BH2017-rjohnson-FINAL.pdf) [slides] | 325 | [2017, Black Hat USA: "Evolutionary Kernel Fuzzing" by Richard Johnson](https://moflow.org/Presentations/Evolutionary%20Kernel%20Fuzzing-BH2017-rjohnson-FINAL.pdf) [slides] |
| 310 | 326 | ||
| 311 | [2017: "DIFUZE: Interface Aware Fuzzing for Kernel Drivers"](https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers-wp.pdf) [whitepaper] | 327 | [2017: "DIFUZE: Interface Aware Fuzzing for Kernel Drivers"](https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers-wp.pdf) [whitepaper] |
| @@ -394,6 +410,10 @@ http://seclists.org/fulldisclosure/2010/Sep/268 | |||
| 394 | 410 | ||
| 395 | https://github.com/hardenedlinux/offensive_poc | 411 | https://github.com/hardenedlinux/offensive_poc |
| 396 | 412 | ||
| 413 | https://github.com/jiayy/android_vuln_poc-exp | ||
| 414 | |||
| 415 | https://github.com/brl/grlh | ||
| 416 | |||
| 397 | 417 | ||
| 398 | ## Practice | 418 | ## Practice |
| 399 | 419 | ||
| @@ -452,6 +472,8 @@ https://github.com/spencerdodd/kernelpop | |||
| 452 | 472 | ||
| 453 | https://github.com/vnik5287/kaslr_tsx_bypass | 473 | https://github.com/vnik5287/kaslr_tsx_bypass |
| 454 | 474 | ||
| 475 | http://www.openwall.com/lkrg/ | ||
| 476 | |||
| 455 | 477 | ||
| 456 | ## Unsorted | 478 | ## Unsorted |
| 457 | 479 | ||