summaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md34
1 files changed, 34 insertions, 0 deletions
diff --git a/README.md b/README.md
index 77f0dab..0320473 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
52 52
53### Exploitation 53### Exploitation
54 54
55[2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi](https://conference.hitb.org/hitbsecconf2023ams/materials/D2%20COMMSEC%20-%20The%20Return%20of%20Stack%20Overflows%20in%20the%20Linux%20Kernel%20-%20Davide%20Ornaghi.pdf) [slides]
56
55[2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html) 57[2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html)
56 58
57[2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper] 59[2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper]
@@ -110,6 +112,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
110 112
111[2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] 113[2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article]
112 114
115[2019: "Linux Kernel: the ROP Exploit of Stack Overflow in Android Kernel"](https://medium.com/@knownsec404team/linux-kernel-the-rop-exploit-of-stack-overflow-in-android-kernel-87aa8eda770d) [article]
116
113[2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)] 117[2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)]
114 118
115[2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing](http://personal.psu.edu/yxc431/publications/SLAKE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/SLAKE.pdf)] 119[2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing](http://personal.psu.edu/yxc431/publications/SLAKE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/SLAKE.pdf)]
@@ -219,6 +223,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
219 223
220### Protection Bypasses 224### Protection Bypasses
221 225
226[2023: "Linux Kernel: Spectre v2 SMT mitigations problem" by Eduardo Vela](https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx) [article]
227
222[2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data"](https://i.blackhat.com/USA-22/Thursday/US-22-Frigo-A-Dirty-Little-History.pdf) [slides] 228[2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data"](https://i.blackhat.com/USA-22/Thursday/US-22-Frigo-A-Dirty-Little-History.pdf) [slides]
223 229
224[2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article] 230[2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article]
@@ -326,8 +332,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
326 332
327### LPE 333### LPE
328 334
335[2023: "Pwning Pixel 6 with a leftover patch" by Man Yue Mo](https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/) [article] [GHSL-2023-005]
336
337[2023: "Revisiting CVE-2017-11176" by Nils Ole Timm](https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176) [article] [CVE-2017-11176]
338
339[2023: "Rooting the FiiO M6" by Jack Maginnes](https://stigward.github.io/posts/fiio-m6-kernel-bug/) [article] [[part 2](https://stigward.github.io/posts/fiio-m6-exploit/)]
340
341[2023: "Exploiting CVE-2021-3490 for Container Escapes" by Karsten Kyonig](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/) [article] [CVE-2021-3490]
342
329[2023: "Pwning the all Google phone with a non-Google bug"](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/) [article] [CVE-2022-38181] 343[2023: "Pwning the all Google phone with a non-Google bug"](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/) [article] [CVE-2022-38181]
330 344
345[2022: "CVE-2022-22265: Samsung NPU device driver double free in Android" by Xingyu Jin](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22265.html) [article] [CVE-2022-22265]
346
331[2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez](https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/) [article] [CVE-2022-32250] 347[2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez](https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/) [article] [CVE-2022-32250]
332 348
333[2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins](https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html) [article] [CVE-2022-42703] 349[2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins](https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html) [article] [CVE-2022-42703]
@@ -787,10 +803,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
787 803
788## Finding Bugs 804## Finding Bugs
789 805
806[2023: "Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis"](https://www.cs.columbia.edu/~gabe/files/oakland2023_pla.pdf) [paper]
807
790[2023: "No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions"](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f688_paper.pdf) [paper] 808[2023: "No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions"](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f688_paper.pdf) [paper]
791 809
792[2023: "FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules"](https://www.usenix.org/system/files/sec23summer_190-angelakopoulos-prepub.pdf) [paper] 810[2023: "FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules"](https://www.usenix.org/system/files/sec23summer_190-angelakopoulos-prepub.pdf) [paper]
793 811
812[2022: "Event-based Fuzzing, Patch-based Research, and Comment Police: Finding Bugs Through a Bug"](https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-LiYang-Event-based-Fuzzing-Patch-based.pdf) [slides] [[video](https://www.youtube.com/watch?v=mPiv0eZlx9w)]
813
794[2022: "Breaking the Glass Sandbox - Find Linux Kernel Bugs and Escape" by Valentina Palmiotti at REcon](https://cfp.recon.cx/media/2022/submissions/EVBN3B/resources/recon_7TKNBIm.pdf) [slides] [[video](https://www.youtube.com/watch?v=2R46lJsOOTE)] 814[2022: "Breaking the Glass Sandbox - Find Linux Kernel Bugs and Escape" by Valentina Palmiotti at REcon](https://cfp.recon.cx/media/2022/submissions/EVBN3B/resources/recon_7TKNBIm.pdf) [slides] [[video](https://www.youtube.com/watch?v=2R46lJsOOTE)]
795 815
796[2022: "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools" by Andrey Konovalov](https://docs.google.com/presentation/d/1qA8fqRDHKX_WM_ZdDN37EQQZwSTNJ4FFws82tbUSKxY/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=KmFVPyHyfqQ)] [[article](https://lwn.net/Articles/909245/)] 816[2022: "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools" by Andrey Konovalov](https://docs.google.com/presentation/d/1qA8fqRDHKX_WM_ZdDN37EQQZwSTNJ4FFws82tbUSKxY/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=KmFVPyHyfqQ)] [[article](https://lwn.net/Articles/909245/)]
@@ -873,6 +893,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
873 893
874[2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov](https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf) [slides] [[video](https://www.youtube.com/watch?v=ufcyOkgFZ2Q)] 894[2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov](https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf) [slides] [[video](https://www.youtube.com/watch?v=ufcyOkgFZ2Q)]
875 895
896[2020: "UBITect: A Precise and Scalable Method to Detect Use-before-Initialization Bugs in Linux Kernel"](https://dl.acm.org/doi/pdf/10.1145/3368089.3409686) [paper]
897
876[2020: "RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization"](https://nebelwelt.net/files/20Oakland.pdf) [paper] [[tool](https://github.com/HexHive/RetroWrite)] 898[2020: "RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization"](https://nebelwelt.net/files/20Oakland.pdf) [paper] [[tool](https://github.com/HexHive/RetroWrite)]
877 899
878[2020: "Fuzzing a Pixel 3a Kernel with Syzkaller" by senyuuri](https://blog.senyuuri.info/2020/04/16/fuzzing-a-pixel-3a-kernel-with-syzkaller/) [article] 900[2020: "Fuzzing a Pixel 3a Kernel with Syzkaller" by senyuuri](https://blog.senyuuri.info/2020/04/16/fuzzing-a-pixel-3a-kernel-with-syzkaller/) [article]
@@ -1016,8 +1038,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
1016 1038
1017["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) 1039["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
1018 1040
1041[2023: "Mobile Exploitation - The past, present, and the future" by Ki Chan Ahn](https://github.com/externalist/presentations/blob/master/2023%20Zer0con/Mobile%20Exploitation%2C%20the%20past%2C%20present%2C%20and%20future.pdf) [slides]
1042
1019[2023: "Bounded Flexible Arrays in C" by Kees Cook](https://people.kernel.org/kees/bounded-flexible-arrays-in-c) [article] 1043[2023: "Bounded Flexible Arrays in C" by Kees Cook](https://people.kernel.org/kees/bounded-flexible-arrays-in-c) [article]
1020 1044
1045[2022: "Survey of security mitigations and architectures, December 2022" by Saar Amar](https://saaramar.github.io/memory_safety_blogpost_2022/) [article]
1046
1021[2022: "Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse" by Mathias Krause](https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse) [article] [[reference exploits](https://github.com/opensrcsec/same_type_object_reuse_exploits)] 1047[2022: "Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse" by Mathias Krause](https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse) [article] [[reference exploits](https://github.com/opensrcsec/same_type_object_reuse_exploits)]
1022 1048
1023[2022: "Making Linux Kernel Exploit Cooking Harder"](https://security.googleblog.com/2022/08/making-linux-kernel-exploit-cooking.html) [article] [[reference exploits](https://docs.google.com/document/d/1a9uUAISBzw3ur1aLQqKc5JOQLaJYiOP5pe_B4xCT1KA/edit?usp=sharing)] [[proposed mitigations](https://github.com/thejh/linux/blob/slub-virtual/MITIGATION_README)] 1049[2022: "Making Linux Kernel Exploit Cooking Harder"](https://security.googleblog.com/2022/08/making-linux-kernel-exploit-cooking.html) [article] [[reference exploits](https://docs.google.com/document/d/1a9uUAISBzw3ur1aLQqKc5JOQLaJYiOP5pe_B4xCT1KA/edit?usp=sharing)] [[proposed mitigations](https://github.com/thejh/linux/blob/slub-virtual/MITIGATION_README)]
@@ -1312,6 +1338,8 @@ https://github.com/SmoothHacker/LateRegistration
1312 1338
1313https://github.com/sslab-gatech/janus 1339https://github.com/sslab-gatech/janus
1314 1340
1341https://github.com/google/buzzer
1342
1315 1343
1316### Assorted 1344### Assorted
1317 1345
@@ -1385,6 +1413,10 @@ https://github.com/marin-m/vmlinux-to-elf
1385 1413
1386[github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs) 1414[github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs)
1387 1415
1416HackTheBox (knote): [writeup](https://pwning.tech/knote/)
1417
1418BFS Ekoparty 2022 (blunder): [writeup](https://klecko.github.io/posts/bfs-ekoparty-2022/)
1419
1388D^3CTF 2022 (d3bpf): [writeup](https://stdnoerr.github.io/writeup/2022/08/21/eBPF-exploitation-(ft.-D-3CTF-d3bpf).html), [writeup 2](https://github.com/chujDK/d3ctf2022-pwn-d3bpf-and-v2) 1420D^3CTF 2022 (d3bpf): [writeup](https://stdnoerr.github.io/writeup/2022/08/21/eBPF-exploitation-(ft.-D-3CTF-d3bpf).html), [writeup 2](https://github.com/chujDK/d3ctf2022-pwn-d3bpf-and-v2)
1389 1421
1390zer0pts CTF 2022 (kRCE): [writeup](https://www.willsroot.io/2022/03/zer0pts-ctf-2022-krce-writeup.html) 1422zer0pts CTF 2022 (kRCE): [writeup](https://www.willsroot.io/2022/03/zer0pts-ctf-2022-krce-writeup.html)
@@ -1588,3 +1620,5 @@ https://kernel.dance/
1588https://github.com/0xricksanchez/like-dbg 1620https://github.com/0xricksanchez/like-dbg
1589 1621
1590https://github.com/ameetsaahu/Kernel-exploitation 1622https://github.com/ameetsaahu/Kernel-exploitation
1623
1624https://github.com/cmu-pasta/linux-kernel-enriched-corpus