Assorted cleanups

- reorder sections - add contents table - fix malformed entries - sort most misc links - add goodreads links for books - spacing fixes
author: Andrey Konovalov 2021-05-03 21:00:01 +0200
committer: Andrey Konovalov 2021-05-04 00:03:55 +0200
commit: ca8a8c3f01d5f7feadca69c3c0f0d80321878dd6 (patch)
tree: 53a3d3dfb19f854835177598c51e619c72cbc534 /README.md
parent: 23baeac2e645896f5438a58a79a4a0b10f97ac40 (diff)
1 files changed, 228 insertions, 204 deletions
diff --git a/README.md b/README.md
index e755c56..86391ba 100644
--- a/README.md
+++ b/README.md
@@ -1,23 +1,44 @@
 Linux Kernel Exploitation
 =========================
-Pull requests are welcome.
+A collection of links related to Linux kernel security and exploitation.
-## Books
+Pull requests are welcome.
-2014: "Android Hacker's Handbook" by Joshua J. Drake
+- [Books](#books)
+- [Techniques](#techniques)
+        - [Exploitation](#exploitation)
+        - [Protection Bypasses](#protection-bypasses)
+- [Vulnerabilities](#vulnerabilities)
+        - [Info-leaks](#info-leaks)
+        - [LPE](#lpe)
+        - [RCE](#rce)
+        - [Other](#other)
+- [Finding Bugs](#finding-bugs)
+- [Defensive](#defensive)
+- [Exploits](#exploits)
+- [Tools](#tools)
+        - [Fuzzers](#fuzzers)
+        - [Assorted](#assorted)
+- [Practice](#practice)
+        - [Workshops](#workshops)
+        - [CTF Tasks](#ctf-tasks)
+        - [Other Tasks](#other-tasks)
+        - [Playgrounds](#playgrounds)
+        - [Infrastructure](#infrastructure)
+- [Misc](#misc)
-2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani
+## Books
-## Workshops
+2014: "Android Hacker's Handbook" by Joshua J. Drake [[book](https://www.goodreads.com/book/show/17628293-android-hacker-s-handbook)]
-[2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop]
+2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani [[book](https://www.goodreads.com/book/show/9224826-a-guide-to-kernel-exploitation)] [[materials](https://github.com/yrp604/atc-sources)]
-[2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop]
+## Techniques
-## Exploitation Techniques
+### Exploitation
 [2021: "Linux Kernel Exploitation Technique: Overwriting modprobe_path"](https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/) [article]
@@ -83,7 +104,7 @@ Pull requests are welcome.
 [2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim](https://cansecwest.com/slides/2016/CSW2016_Economou-Nissim_GettingPhysical.pdf) [slides]
-[2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article]
+[2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article] [[exercise](https://github.com/vnik5287/kernel_rop)]
 [2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/) [article]
@@ -99,7 +120,7 @@ Pull requests are welcome.
 [2015: "From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel"](http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20From%20collision%20to%20exploitation%3A%20Unleashing%20Use-After-Free%20vulnerabilities%20in%20Linux%20Kernel.pdf) [paper]
-[2015: "Linux Kernel Exploitation" by Patrick Biernat](http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/23/13_lecture.pdf) [slides]
+[2015: "Modern Binary Exploitation: Linux Kernel Exploitation" by Patrick Biernat](http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/23/13_lecture.pdf) [slides] [[exercise](https://github.com/RPISEC/MBE/tree/master/src/lab10)]
 [2013: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation" at Black Hat](https://www.youtube.com/watch?v=Of6DemoMLaA)
@@ -111,7 +132,7 @@ Pull requests are welcome.
 [2012: "A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator" by Dan Rosenberg](https://www.vsecurity.com//download/papers/slob-exploitation.pdf) [paper]
-[2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister](https://mainisusuallyafunction.blogspot.ru/2012/11/attacking-hardened-linux-systems-with.html) [article]
+[2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister](https://mainisusuallyafunction.blogspot.ru/2012/11/attacking-hardened-linux-systems-with.html) [article] [[code 1](https://github.com/kmcallister/alameda)] [[code 2](https://github.com/01org/jit-spray-poc-for-ksp)]
 [2012: "The Linux kernel memory allocators from an exploitation perspective" by Patroklos Argyroudis](https://argp.github.io/2012/01/03/linux-kernel-heap-exploitation/) [article]
@@ -142,12 +163,59 @@ Pull requests are welcome.
 [2005: "The story of exploiting kmalloc() overflows"](https://argp.github.io/public/kmalloc_exploitation.pdf) [article]
+## Protection Bypasses
+[2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video]
+[2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article]
+[2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper]
+[2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html) [article]
+[2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/04/an-analysis-of-linux-kernel-heap.html) [article]
+[2020: "PAN: Another day, another broken mitigation" by Siguza](https://siguza.github.io/PAN/) [article]
+[2019: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You at PoC](http://powerofcommunity.net/poc2019/x82.pdf) [slides]
+[2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html) [article]
+[2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article]
+[2016: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko at KIWICON](https://cyseclabs.com/slides/smep_bypass.pdf) [slides]
+[2016: "Micro architecture attacks on KASLR" by Anders Fogh"](https://cyber.wtf/2016/10/25/micro-architecture-attacks-on-kasrl/) [article]
+[2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh](http://www.cs.ucr.edu/~nael/pubs/micro16.pdf) [slides]
+[2016: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard at CCS](https://www.youtube.com/watch?v=TJTQbs3oJx8) [video]
+[2016: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at Black Hat](https://www.youtube.com/watch?v=T3kmq2NLpH4) [video]
+[2016: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim at Black Hat](https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf) [slides] [[video](https://www.youtube.com/watch?v=rtuXG28g0CU)]
+[2016: "Breaking KASLR with micro architecture" by Anders Fogh](https://dreamsofastone.blogspot.ru/2016/02/breaking-kasrl-with-micro-architecture.html) [article]
+[2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/effectively-bypassing-kptrrestrict-on.html) [article]
+[2014: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis and Angelos D. Keromytis at Black Hat Europe](https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation-wp.pdf) [paper] [[video](https://www.youtube.com/watch?v=kot-EQ9zf9k)]
+[2013: "A Linux Memory Trick" by Dan Rosenberg](http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/) [article]
+[2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg](http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/) [article]
+[2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)"](http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html) [article]
 ## Vulnerabilities
 [Project Zero bug reports](https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id)
+[Linux Kernel CVEs](https://www.linuxkernelcves.com/)
-### Information Leaks
+### Info-leaks
 [2021: "Spectre exploits in the "wild""](https://dustri.org/b/spectre-exploits-in-the-wild.html) [article]
@@ -198,7 +266,7 @@ Pull requests are welcome.
 [2020: "Kernel Exploitation With A File System Fuzzer"](https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf) [slides, CVE-2019-19377] [[video](https://www.youtube.com/watch?v=95f1b4FcrQ4)]
-[2020: "Finding and exploiting a bug (LPE) in an old Android phone" by Brandon Falk] [stream] [part 2](https://www.youtube.com/watch?v=qnyFk-f3Koo) [summary](https://www.youtube.com/watch?v=t-t7D0vQNmo)
+[2020: "Finding and exploiting a bug (LPE) in an old Android phone" by Brandon Falk](https://www.youtube.com/watch?v=g62FXds2pt8) [stream] [[part 2](https://www.youtube.com/watch?v=qnyFk-f3Koo)] [[summary](https://www.youtube.com/watch?v=t-t7D0vQNmo)]
 [2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen](https://unit42.paloaltonetworks.com/cve-2020-14386/) [article, CVE-2020-14386]
@@ -455,147 +523,7 @@ Pull requests are welcome.
 [2015: "Vulnerability in the Linux Crypto API that allows unprivileged users to load arbitrary kernel modules" by Mathias Krause](https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu) [annnouncement]
-## Protection Bypass Techniques
+## Finding Bugs
-[2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video]
-[2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article]
-[2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper]
-[2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html) [article]
-[2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/04/an-analysis-of-linux-kernel-heap.html) [article]
-[2020: "PAN: Another day, another broken mitigation" by Siguza](https://siguza.github.io/PAN/) [article]
-[2019: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You at PoC](http://powerofcommunity.net/poc2019/x82.pdf) [slides]
-[2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html) [article]
-[2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article]
-[2016: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko at KIWICON](https://cyseclabs.com/slides/smep_bypass.pdf) [slides]
-[2016: "Micro architecture attacks on KASLR" by Anders Fogh"](https://cyber.wtf/2016/10/25/micro-architecture-attacks-on-kasrl/) [article]
-[2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh](http://www.cs.ucr.edu/~nael/pubs/micro16.pdf) [slides]
-[2016: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard at CCS](https://www.youtube.com/watch?v=TJTQbs3oJx8) [video]
-[2016: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at Black Hat](https://www.youtube.com/watch?v=T3kmq2NLpH4) [video]
-[2016: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim at Black Hat](https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf) [slides] [[video](https://www.youtube.com/watch?v=rtuXG28g0CU)]
-[2016: "Breaking KASLR with micro architecture" by Anders Fogh](https://dreamsofastone.blogspot.ru/2016/02/breaking-kasrl-with-micro-architecture.html) [article]
-[2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/effectively-bypassing-kptrrestrict-on.html) [article]
-[2014: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis and Angelos D. Keromytis at Black Hat Europe](https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation-wp.pdf) [paper] [[video](https://www.youtube.com/watch?v=kot-EQ9zf9k)]
-[2013: "A Linux Memory Trick" by Dan Rosenberg](http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/) [article]
-[2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg](http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/) [article]
-[2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)"](http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html) [article]
-## Defensive
-[2021: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/) [articles]
-[2020: "Kernel Integrity Enforcement with HLAT In a Virtual Machine" by Chao Gao](https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf) [slides] [[video](https://www.youtube.com/watch?v=N8avvE_neV0)]
-[2020: "Linux kernel heap quarantine versus use-after-free exploits" by Alexander Popov](https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html) [article]
-[2020: "State of Linux kernel security" by Dmitry Vyukov](https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=PGwFyzh2KTA&t=1233)]
-[2020: "LKRG IN A NUTSHELL" by Adam Zabrocki at OSTconf](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides]
-[2020: "Following the Linux Kernel Defence Map" by Alexander Popov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf) [slides] [[video](https://www.youtube.com/watch?v=4c01jjbQmBc&t=8555)]
-[2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov](https://docs.google.com/presentation/d/10V_msbtEap9dNerKvTrRAzvfzYdrQFC8e2NYHCZYJDE/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=f-Rm7JFsJGI)]
-[2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler](https://grsecurity.net/10_years_of_linux_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=F_Kza6fdkSU)]
-[2020: "Control Flow Integrity in the Linux Kernel" by Kees Cook at linux.conf.au](https://outflux.net/slides/2020/lca/cfi.pdf) [slides] [[video](https://www.youtube.com/watch?v=0Bj6W7qrOOI)]
-[2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel"](https://arxiv.org/pdf/1912.04145v1.pdf) [paper]
-[2019: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa at Linux Security Summit EU](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video]
-[2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis]
-[2019: "Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2019/lss/kspp.pdf) [slides]
-[2019: "Touch but don’t look - Running the Kernel in Execute-only memory" by Rick Edgecombe](https://linuxplumbersconf.org/event/4/contributions/283/attachments/357/588/Touch_but_dont_look__Running_the_kernel_in_execute_only_memory-presented.pdf) [slides]
-[2019: "Breaking and Protecting Linux Kernel Stack" by Elena Reshetova](https://www.youtube.com/watch?v=FacpjoQbMhU) [video]
-[2019: "Making C Less Dangerous in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2019/lca/danger.pdf) [slides]
-[2019: "Mitigation for the Kernel Space Mirroring Attack (内核镜像攻击的缓解措施)"](http://c0reteam.org/2019/01/02/ksma) [article]
-[2018: "The State of Kernel Self Protection" by Kees Cook](https://outflux.net/slides/2018/lss/kspp.pdf) [slides]
-[2018: "Android Kernel Control Flow Integrity Analysis (分析)"](http://c0reteam.org/2018/09/17/kcfi) [article]
-[2018: "Overview and Recent Developments: Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2018/lss-eu/kspp.pdf) [slides]
-[2018: "The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone" by Seunghun Han at beVX](https://github.com/kkamagui/papers/blob/master/bevx-2018/presentation.pdf) [video]
-[2018: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam Zabrocki at CONFidence](https://www.openwall.com/presentations/CONFidence2018-LKRG-Under-The-Hood/CONFidence2018-LKRG-Under-The-Hood.pdf) [slides, [video](https://www.youtube.com/watch?v=tOiPM692DOM)]
-[2018: "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM"](https://vvdveen.com/publications/dimva2018.pdf) [paper]
-[2018: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse" at BlackHat](https://www.youtube.com/watch?v=L-3eCmZ8s3A) [video]
-[2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels"](https://arxiv.org/pdf/1802.07062.pdf) [paper]
-[2018: "The State of Kernel Self Protection" by Kees Cook at Linux Conf AU](https://outflux.net/slides/2018/lca/kspp.pdf) [slides]
-[2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse"](https://cs.brown.edu/~vpk/papers/krx.eurosys17.pdf) [paper]
-[2017: "How STACKLEAK improves Linux kernel security" by Alexander Popov at Linux Piter](https://linuxpiter.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf) [slides]
-[2017: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han at HitB](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Seunghun%20Han%20-%20Shadow-Box%20-%20The%20Practical%20and%20Omnipotent%20Sandbox.pdf) [slides]
-[2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [paper]
-[2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel"](https://events.linuxfoundation.org/sites/events/files/slides/nakamura_20170831_1.pdf) [slides]
-[2017: "Linux Kernel Self Protection Project" by Kees Cook](https://outflux.net/slides/2017/lss/kspp.pdf) [slides]
-[2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables"](https://www.internetsociety.org/sites/default/files/ndss2017_05B-4_Davi_paper.pdf) [paper]
-[2017: "KASLR is Dead: Long Live KASLR"](https://gruss.cc/files/kaiser.pdf) [paper]
-[2017: "Honey, I shrunk the attack surface – Adventures in Android security hardening" by Nick Kralevich](https://www.youtube.com/watch?v=ITL6VHOFQj8) [video]
-[2017: "Fine Grained Control-Flow Integrity for The Linux Kernel" by Sandro Rigo, Michalis Polychronakis, Vasileios Kemerlis](https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel.pdf) [slides]
-[2016: "Thwarting unknown bugs: hardening features in the mainline Linux kernel" by Mark Rutland](https://events.static.linuxfound.org/sites/events/files/slides/slides_21.pdf) [slides]
-[2016: "Emerging Defense in Android Kernel" by James Fang](http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/) [article]
-[2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier](https://medium.com/@mxatone/randomizing-the-linux-kernel-heap-freelists-b899bb99c767#.3csq8t23s) [article]
-[2015: "RAP: RIP ROP"](https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf) [slides]
-[2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis](http://www.cs.columbia.edu/~angelos/Papers/theses/vpk_thesis.pdf) [paper]
-[2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus](https://publikationsserver.tu-braunschweig.de/servlets/MCRFileNodeServlet/digibib_derivate_00036154/Diss_Kurmus_Anil.pdf) [paper]
-[2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler](https://forums.grsecurity.net/viewtopic.php?f=7&t=3367) [article]
-[2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat](https://access.redhat.com/articles/20484) [article]
-[2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems"](https://pdos.csail.mit.edu/papers/chen-kbugs.pdf) [paper]
-[2009: "Linux Kernel Heap Tampering Detection" by Larry Highsmith](http://phrack.org/archives/issues/66/15.txt) [article]
-## Vulnerability Discovery
 [2021: "Fuzzing the Linux Kernel" by Andrey Konovalov](https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf) [slides] [[video](https://www.youtube.com/watch?v=4IBWj21tg-c)]
@@ -621,7 +549,7 @@ Pull requests are welcome.
 [2020: "harbian-qa: State-based target directed fuzzer based on syzkaller"](https://github.com/hardenedlinux/harbian-qa/blob/master/syzkaller/design_inplementation_intro.md) [article]
-[2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints"](https://www.usenix.org/system/files/sec20-song.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec20_slides_song.pdf)] [[video](https://www.youtube.com/watch?v=Swo6jSkjviA)]
+[2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints"](https://www.usenix.org/system/files/sec20-song.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec20_slides_song.pdf)] [[video](https://www.youtube.com/watch?v=Swo6jSkjviA)] [[code](https://github.com/securesystemslab/agamotto)]
 [2020: "Using syzkaller, part 1: Fuzzing the Linux kernel" by Andre Almeida](https://www.collabora.com/news-and-blog/blog/2020/03/26/syzkaller-fuzzing-the-kernel/) [article]
@@ -643,7 +571,7 @@ Pull requests are welcome.
 [2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE"](https://blog.grimm-co.com/post/analyzing-the-linux-kernel-in-userland-with-afl-and-klee/) [article]
-[2019: "perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)" by Vincent M. Weaver and Dave Jones](perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)) [paper]
+[2019: "perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)" by Vincent M. Weaver and Dave Jones](http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/2019_perf_fuzzer_tr.pdf) [paper]
 [2019: "Industry Practice of Coverage-Guided Enterprise Linux Kernel Fuzzing"](http://wingtecher.com/themes/WingTecherResearch/assets/papers/fse19-linux-kernel.pdf) [paper]
@@ -661,8 +589,7 @@ Pull requests are welcome.
 [2019: "PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary"](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf) [paper]
-[2019: "Hourglass       Fuzz:   A       Quick   Bug     Hunting Method"](https://conference.hitb.org/hitbsecconf2019ams/materials/D1T2%20-%20Hourglass%20Fuzz%20-%20A%20Quick%20Bug%20Hunting%20Method%20-%20Moony%20Li,%20Todd%20Han,%20Lance%20Jiang%20&%20Lilang%20Wu.pdf) [slides]
+[2019: "Hourglass Fuzz: A Quick Bug Hunting Method"](https://conference.hitb.org/hitbsecconf2019ams/materials/D1T2%20-%20Hourglass%20Fuzz%20-%20A%20Quick%20Bug%20Hunting%20Method%20-%20Moony%20Li,%20Todd%20Han,%20Lance%20Jiang%20&%20Lilang%20Wu.pdf) [slides]
 [2018: "FastSyzkaller: Improving Fuzz Efficiency for Linux Kernel Fuzzing"](https://iopscience.iop.org/article/10.1088/1742-6596/1176/2/022013/pdf) [paper]
@@ -670,7 +597,7 @@ Pull requests are welcome.
 [2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities"](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities.pdf) [slides] [[paper](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities-wp.pdf)]
-[2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation"](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf) [paper]
+[2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation"](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf) [paper] [[code](https://github.com/shankarapailoor/moonshine)]
 [2018: "Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking" by Mateusz Jurczyk](https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf) [paper]
@@ -723,35 +650,101 @@ Pull requests are welcome.
 [2009: "Opensource Kernel Auditing and Exploitation" by Silvio Cesare at DEF CON](https://www.youtube.com/watch?v=sNh2TD6Tf9Q&feature=youtu.be) [video]
-## Fuzzers
+## Defensive
-https://github.com/google/syzkaller
+["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
-https://github.com/kernelslacker/trinity
+[2021: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/) [articles]
-http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/
+[2020: "Kernel Integrity Enforcement with HLAT In a Virtual Machine" by Chao Gao](https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf) [slides] [[video](https://www.youtube.com/watch?v=N8avvE_neV0)]
-https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
+[2020: "Linux kernel heap quarantine versus use-after-free exploits" by Alexander Popov](https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html) [article]
-https://github.com/oracle/kernel-fuzzing
+[2020: "State of Linux kernel security" by Dmitry Vyukov](https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=PGwFyzh2KTA&t=1233)]
-https://github.com/rgbkrk/iknowthis
+[2020: "LKRG IN A NUTSHELL" by Adam Zabrocki at OSTconf](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides]
-https://github.com/schumilo/vUSBf
+[2020: "Following the Linux Kernel Defence Map" by Alexander Popov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf) [slides] [[video](https://www.youtube.com/watch?v=4c01jjbQmBc&t=8555)]
-https://github.com/ucsb-seclab/difuze
+[2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov](https://docs.google.com/presentation/d/10V_msbtEap9dNerKvTrRAzvfzYdrQFC8e2NYHCZYJDE/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=f-Rm7JFsJGI)]
-https://github.com/compsec-snu/razzer [race-condition]
+[2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler](https://grsecurity.net/10_years_of_linux_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=F_Kza6fdkSU)]
-https://github.com/fgsect/unicorefuzz
+[2020: "Control Flow Integrity in the Linux Kernel" by Kees Cook at linux.conf.au](https://outflux.net/slides/2020/lca/cfi.pdf) [slides] [[video](https://www.youtube.com/watch?v=0Bj6W7qrOOI)]
-https://github.com/shankarapailoor/moonshine [corpus-generation]
+[2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel"](https://arxiv.org/pdf/1912.04145v1.pdf) [paper]
-https://github.com/SunHao-0/healer
+[2019: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa at Linux Security Summit EU](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video]
-https://github.com/atrosinenko/kbdysch
+[2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis]
-https://github.com/intel/kernel-fuzzer-for-xen-project
+[2019: "Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2019/lss/kspp.pdf) [slides]
+[2019: "Touch but don’t look - Running the Kernel in Execute-only memory" by Rick Edgecombe](https://linuxplumbersconf.org/event/4/contributions/283/attachments/357/588/Touch_but_dont_look__Running_the_kernel_in_execute_only_memory-presented.pdf) [slides]
+[2019: "Breaking and Protecting Linux Kernel Stack" by Elena Reshetova](https://www.youtube.com/watch?v=FacpjoQbMhU) [video]
+[2019: "Making C Less Dangerous in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2019/lca/danger.pdf) [slides]
+[2019: "Mitigation for the Kernel Space Mirroring Attack (内核镜像攻击的缓解措施)"](http://c0reteam.org/2019/01/02/ksma) [article]
+[2018: "The State of Kernel Self Protection" by Kees Cook](https://outflux.net/slides/2018/lss/kspp.pdf) [slides]
+[2018: "Android Kernel Control Flow Integrity Analysis (分析)"](http://c0reteam.org/2018/09/17/kcfi) [article]
+[2018: "Overview and Recent Developments: Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2018/lss-eu/kspp.pdf) [slides]
+[2018: "The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone" by Seunghun Han at beVX](https://github.com/kkamagui/papers/blob/master/bevx-2018/presentation.pdf) [video]
+[2018: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam Zabrocki at CONFidence](https://www.openwall.com/presentations/CONFidence2018-LKRG-Under-The-Hood/CONFidence2018-LKRG-Under-The-Hood.pdf) [slides, [video](https://www.youtube.com/watch?v=tOiPM692DOM)]
+[2018: "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM"](https://vvdveen.com/publications/dimva2018.pdf) [paper]
+[2018: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse" at BlackHat](https://www.youtube.com/watch?v=L-3eCmZ8s3A) [video]
+[2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels"](https://arxiv.org/pdf/1802.07062.pdf) [paper]
+[2018: "The State of Kernel Self Protection" by Kees Cook at Linux Conf AU](https://outflux.net/slides/2018/lca/kspp.pdf) [slides]
+[2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse"](https://cs.brown.edu/~vpk/papers/krx.eurosys17.pdf) [paper]
+[2017: "How STACKLEAK improves Linux kernel security" by Alexander Popov at Linux Piter](https://linuxpiter.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf) [slides]
+[2017: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han at HitB](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Seunghun%20Han%20-%20Shadow-Box%20-%20The%20Practical%20and%20Omnipotent%20Sandbox.pdf) [slides]
+[2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [paper]
+[2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel"](https://events.linuxfoundation.org/sites/events/files/slides/nakamura_20170831_1.pdf) [slides]
+[2017: "Linux Kernel Self Protection Project" by Kees Cook](https://outflux.net/slides/2017/lss/kspp.pdf) [slides]
+[2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables"](https://www.internetsociety.org/sites/default/files/ndss2017_05B-4_Davi_paper.pdf) [paper]
+[2017: "KASLR is Dead: Long Live KASLR"](https://gruss.cc/files/kaiser.pdf) [paper]
+[2017: "Honey, I shrunk the attack surface – Adventures in Android security hardening" by Nick Kralevich](https://www.youtube.com/watch?v=ITL6VHOFQj8) [video]
+[2017: "Fine Grained Control-Flow Integrity for The Linux Kernel" by Sandro Rigo, Michalis Polychronakis, Vasileios Kemerlis](https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel.pdf) [slides]
+[2016: "Thwarting unknown bugs: hardening features in the mainline Linux kernel" by Mark Rutland](https://events.static.linuxfound.org/sites/events/files/slides/slides_21.pdf) [slides]
+[2016: "Emerging Defense in Android Kernel" by James Fang](http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/) [article]
+[2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier](https://medium.com/@mxatone/randomizing-the-linux-kernel-heap-freelists-b899bb99c767#.3csq8t23s) [article]
+[2015: "RAP: RIP ROP"](https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf) [slides]
+[2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis](http://www.cs.columbia.edu/~angelos/Papers/theses/vpk_thesis.pdf) [paper]
+[2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus](https://publikationsserver.tu-braunschweig.de/servlets/MCRFileNodeServlet/digibib_derivate_00036154/Diss_Kurmus_Anil.pdf) [paper]
+[2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler](https://forums.grsecurity.net/viewtopic.php?f=7&t=3367) [article]
+[2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat](https://access.redhat.com/articles/20484) [article]
+[2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems"](https://pdos.csail.mit.edu/papers/chen-kbugs.pdf) [paper]
+[2009: "Linux Kernel Heap Tampering Detection" by Larry Highsmith](http://phrack.org/archives/issues/66/15.txt) [article]
 ## Exploits
@@ -839,6 +832,39 @@ https://github.com/scannells/exploits/tree/master/CVE-2020-27194
 ## Tools
+### Fuzzers
+https://github.com/google/syzkaller
+https://github.com/kernelslacker/trinity
+http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/
+https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
+https://github.com/oracle/kernel-fuzzing
+https://github.com/rgbkrk/iknowthis
+https://github.com/schumilo/vUSBf
+https://github.com/ucsb-seclab/difuze
+https://github.com/compsec-snu/razzer [race-condition]
+https://github.com/fgsect/unicorefuzz
+https://github.com/SunHao-0/healer
+https://github.com/atrosinenko/kbdysch
+https://github.com/intel/kernel-fuzzer-for-xen-project
+https://github.com/IntelLabs/kAFL/
+### Assorted
 https://github.com/jonoberheide/ksymhunter
 https://github.com/jonoberheide/kstructhunter
@@ -871,18 +897,23 @@ https://github.com/elfmaster/kdress
 https://github.com/mephi42/ida-kallsyms/
-[[ KASLD ] Kernel Address Space Layout Derandomization](https://github.com/bcoles/kasld)
+[Kernel Address Space Layout Derandomization (KASLD)](https://github.com/bcoles/kasld)
-https://github.com/IntelLabs/kAFL/
-https://github.com/securesystemslab/agamotto
 https://github.com/duasynt/gdb_scripts/
 https://github.com/evdenis/cvehound
-## CTF Tasks
+## Practice
+### Workshops
+[2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop]
+[2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop]
+### CTF Tasks
 [github.com/smallkirby/kernelpwn](https://github.com/smallkirby/kernelpwn)
@@ -969,53 +1000,46 @@ rwth2011 CTF (ps3game): [writeup](http://mslc.ctf.su/wp/rwth2011-ctf-ps3game/)
 CSAW CTF 2010: [writeup](https://jon.oberheide.org/blog/2010/11/02/csaw-ctf-kernel-exploitation-challenge/), [source](https://jon.oberheide.org/files/csaw.c), [source and exploit](https://github.com/0x3f97/pwn/tree/master/kernel/csaw-ctf-2010-kernel-exploitation-challenge)
-## Misc
+### Other tasks
-[2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video]
 [pwnable.kr tasks](http://pwnable.kr/play.php) (syscall, rootkit, softmmu, towelroot, kcrc, exynos)
-[RPISEC kernel labs](https://github.com/RPISEC/MBE/tree/master/src/lab10)
+https://github.com/ReverseLab/kernel-pwn-challenge
-https://github.com/Fuzion24/AndroidKernelExploitationPlayground
+https://github.com/R3x/How2Kernel
-https://github.com/ReverseLab/kernel-pwn-challenge
+### Playgrounds
+https://github.com/Fuzion24/AndroidKernelExploitationPlayground
 https://github.com/djrbliss/libplayground
-https://github.com/hackedteam
+https://github.com/a13xp0p0v/kernel-hack-drill
+https://github.com/pr0cf5/kernel-exploit-practice
+### Infrastructure
 https://github.com/mncoppola/Linux-Kernel-CTF
 https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting-a-local-kernel-ctf-challenge.markdown
-https://github.com/ukanth/afwall/wiki/Kernel-security
-https://github.com/a13xp0p0v/linux-kernel-defence-map
+## Misc
-https://github.com/kmcallister/alameda
+[2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video]
-https://github.com/01org/jit-spray-poc-for-ksp
+https://github.com/hackedteam
 https://forums.grsecurity.net/viewforum.php?f=7
 https://grsecurity.net/research.php
-https://github.com/yrp604/atc-sources
-https://www.linuxkernelcves.com/
 https://github.com/jameshilliard/linux-grsec/
-https://github.com/a13xp0p0v/kernel-hack-drill
+https://www.youtube.com/c/dayzerosec/videos
-https://github.com/vnik5287/kernel_rop
-https://github.com/R3x/How2Kernel
-https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time
-https://github.com/pr0cf5/kernel-exploit-practice
 https://github.com/milabs/lkrg-bypass
author	Andrey Konovalov	2021-05-03 21:00:01 +0200
committer	Andrey Konovalov	2021-05-04 00:03:55 +0200
commit	ca8a8c3f01d5f7feadca69c3c0f0d80321878dd6 (patch)
tree	53a3d3dfb19f854835177598c51e619c72cbc534 /README.md
parent	23baeac2e645896f5438a58a79a4a0b10f97ac40 (diff)