From 5dc72e61f867c3cf89ee7f46e7f6fa98333558d2 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Fri, 1 Nov 2024 17:13:47 +0100 Subject: September/October updates --- README.md | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 75 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f190c78..d58570c 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2024: "SLUB Internals for Exploit Developers" by Andrey Konovalov](https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf) [slides] [[video](https://www.youtube.com/watch?v=XulsBDV4n3w)] + +[2024: "SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"](https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf) [paper] + [2024: "PageJack: A Powerful Exploit Technique With Page-Level UAF" by Zhiyun Qian et. al](https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf) [slides] [[code](https://github.com/Lotuhu/Page-UAF)] [[summary](https://phrack.org/issues/71/13.html#article)] [2024: "SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel" by Lukas Maar et. al](https://stefangast.eu/papers/slubstick.pdf) [paper] @@ -281,6 +285,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Protection Bypasses +[2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article] + +[2024: "Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels" by Lukas Maar et. al](https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf) [paper] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-maar-defects.pdf)] + [2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article] [2024: "TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution" by Juhee Kim et al.](https://arxiv.org/pdf/2406.08719) [paper] [[code](https://github.com/compsec-snu/tiktag)] @@ -416,11 +424,17 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE +[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [CVE-2024-41010] + +[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [CVE-2024-36978] + +[2024: "1day vuln dev: DirtyCOW"](https://www.youtube.com/watch?v=lQOiH-43zOc) [video] [CVE-2016-5195] + [2024: "Race conditions in Linux Kernel perf events"](https://binarygecko.com/race-conditions-in-linux-kernel-perf-events/) [[code](https://github.com/Binary-Gecko/perf_PoC)] [CVE-UNKNOWN] [2024: "CVE-2020-27786 (Race Condition + Use-After-Free)" by ii4gsp](https://ii4gsp.github.io/cve-2020-27786/) [article] [CVE-2020-27786] -[2024: "GPUAF Using a general GPU exploit tech to attack Pixel8" by Pan Zhenpeng and Jheng Bing Jhong](https://www.youtube.com/watch?v=Mw6iCqjOV9Q) [video] [CVE-UNKNOWN] +[2024: "GPUAF Using a general GPU exploit tech to attack Pixel8" by Pan Zhenpeng and Jheng Bing Jhong](https://github.com/star-sg/OBO/blob/main/2024/Day%201/GPUAF%20-%20Using%20a%20general%20GPU%20exploit%20tech%20to%20attack%20Pixel8.pdf) [slides] [[video](https://www.youtube.com/watch?v=Mw6iCqjOV9Q)] [CVE-UNKNOWN] [2024: "Linux Kernel taprio OOB"](https://ssd-disclosure.com/ssd-advisory-linux-kernel-taprio-oob/) [article] [CVE-2024-36974] @@ -928,6 +942,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2024: "CVE-2024-26926 Analysis" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernel-nday/blob/main/CVE-2024-26926/CVE_2024_26926_Analysis.pdf) [article] [CVE-2024-26926] + +[2024: "CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android"](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2024/CVE-2024-44068.html) [article] [CVE-2024-44068] + [2024: "Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)"](https://blog.theori.io/deep-dive-into-rcu-race-condition-analysis-of-tcp-ao-uaf-cve-2024-27394-f40508b84c42) [article] [CVE-2024–27394] [2024: "ZDI-24-821: A Remote UAF in The Kernel's net/tipc" by Sam Page](https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/) [article] [ZDI-24-821] [CVE-2024-36886] @@ -1013,6 +1031,24 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2024: "Head First Reporting of Linux Kernel CVEs: Practical Use of the Kernel Fuzzer" by Yunseong Kim](https://static.sched.com/hosted_files/sosscdjapan2024/7a/Head%20First%20Reporting%20of%20Linux%20Kernel%20CVEs%20-%20sosscj24.pdf) [slides] + +[2024: "Finding Bugs in Kernel. Part 1: Crashing a Vulnerable Driver with Syzkaller" by Vyacheslav Moskvin](https://www.linkedin.com/pulse/finding-bugs-kernel-part-1-crashing-vulnerable-driver-moskvin-4vwje/) [article] + +[2024: "Lessons from the buzz" by Juan Jose Lopez Jaimez](https://lpc.events/event/18/contributions/1946/attachments/1473/3119/Lessons%20from%20the%20buzz%20-%20LPC.pdf) [slides] [[video](https://www.youtube.com/watch?v=nPYvwrbFxjQ)] + +[2024: "The State of eBPF Fuzzing" by Paul Chaignon](https://pchaigno.github.io/assets/Linux%20Plumbers%202024%20Fuzzing%20eBPF.pdf) [slides] [[video](https://www.youtube.com/watch?v=Xtjpsm-cOos)] + +[2024: "CARDSHARK: Understanding and Stablizing Linux Kernel Concurrency Bugs Against the Odds"](https://www.usenix.org/system/files/usenixsecurity24-han-tianshuo.pdf) [paper] + +[2024: "LR-Miner: Static Race Detection in OS Kernels by Mining Locking Rules" by Tuo Li et. al](https://www.usenix.org/system/files/usenixsecurity24-li-tuo.pdf) [paper] + +[2024: "Detecting Kernel Memory Bugs through Inconsistent Memory Management Intention Inferences"](https://www.usenix.org/system/files/usenixsecurity24-liu-dinghao-detecting.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-liu-dinghao-detecting.pdf)] + +[2024: "MOCK: Optimizing Kernel Fuzzing Mutation with Context-aware Dependency"](https://www.ndss-symposium.org/wp-content/uploads/2024-131-paper.pdf) [paper] + +[2024: "SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzing"](https://www.cs.ucr.edu/~zhiyunq/pub/oakland24_syzgenplusplus.pdf) [paper] + [2024: "StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing" by Bodong Zhao et. al](https://github.com/vul337/StateFuzz/blob/main/statefuzz.pdf) [paper] [[code](https://github.com/vul337/StateFuzz)] [2024: "BRF: eBPF Runtime Fuzzer" by Hsin-Wei Hung and Ardalan Amiri Sani](https://arxiv.org/pdf/2305.08782) [paper] @@ -1296,6 +1332,34 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) +[2024: "Diving into the kernel mitigations" by Breno Leitao](https://www.youtube.com/watch?v=srPeMl9FZI8) [video] + +[2024: "Security Features status update" by Kees Cook](https://lpc.events/event/18/contributions/1920/attachments/1547/3228/Security%20Features%20status%20update.pdf) [slides] [[video](https://www.youtube.com/watch?v=68PZz_9cPms)] + +[2024: "Restricting Unprivileged User Namespaces In Ubuntu" by John Johansen and Maxime Belair](https://static.sched.com/hosted_files/lsseu2024/ed/Restricting%20Unprivileged%20User%20Namespaces%20In%20Ubuntu.pdf) [slides] [[video](https://www.youtube.com/watch?v=GcVjng8WVeg)] + +[2024: "Enhancing spatial safety: fixing thousands of -Wflex-array-member-not-at-end warnings" by Gustavo A. R. Silva](https://lpc.events/event/18/contributions/1722/attachments/1591/3303/Wfamnae_lpceu2024.pdf) [slides] [[video](https://www.youtube.com/watch?v=k4wX5OgbhAQ)] + +[2024: "Challenges and Innovations Towards Spatial Safety in the Linux Kernel" by Gustavo A. R. Silva](https://embeddedor.com/slides/2024/lceu/lceu2024.pdf) [slides] + +[2024: "Agni: Fast Formal Verification of the Verifier's Range Analysis" by Paul Chaignon](https://pchaigno.github.io/assets/Linux%20Plumbers%202024%20Agni.pdf) [slides] [[video](https://www.youtube.com/watch?v=3qH77qCl3SQ)] + +[2024: "Lazy Abstraction Refinement with Proof" by Hao Sun and Zhendong Su](https://lpc.events/event/18/contributions/1939/attachments/1593/3305/LPC%20'24%20(Hao%20Sun).pdf) [[video](https://www.youtube.com/watch?v=Lz-efC4KAl0)] + +[2024: "Improving eBPF Complexity with a Hardware-backed Isolation Environment" by Zhe Wang](https://lpc.events/event/18/contributions/1947/attachments/1452/3087/Zhe%20Wang.pdf) [[video](https://www.youtube.com/watch?v=TGpteJoDog8)] + +[2024: "Towards Safe Kernel Extensibility With eBPF" by Soo Yee Lim](https://s00y33.github.io/publication/safebpf/safebpf.pdf) [paper] [[slides](https://s00y33.github.io/event/ebpf-summit/slides.pdf)] [[video](https://www.youtube.com/live/PQNDsdP27Hw?t=15042s)] + +[2024: "Stop! Sandboxing Exploitable Functions and Modules Using In-Kernel Machine Learning"](https://i.blackhat.com/BH-US-24/Presentations/US24-Dai-Stop-Sandboxing-Exploitable-Functions-and-Modules-Using-In-Kernel-Machine-Learning-Thursday.pdf) [slides] + +[2024: "ISLAB: Immutable Memory Management Metadata for Commodity Operating System Kernels"](https://cs.brown.edu/~vpk/papers/islab.asiaccs24.pdf) [paper] + +[2024: "SeaK: Rethinking the Design of a Secure Allocator for OS Kernel"](https://www.usenix.org/system/files/usenixsecurity24-wang-zicheng.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-wang-zicheng.pdf)] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-wang-zicheng.pdf)] + +[2024: "MOAT: Towards Safe BPF Kernel Extension"](https://www.usenix.org/system/files/usenixsecurity24-lu-hongyi.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-lu-hongyi.pdf)] [[artifact](https://www.usenix.org/system/files/usenixsecurity24-appendix-lu-hongyi.pdf)] + +[2024: "SafeFetch: Practical Double-Fetch Protection with Kernel-Fetch Caching"](https://www.usenix.org/system/files/usenixsecurity24-duta.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-duta.pdf)] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-duta.pdf)] + [2024: "Reducing Maintenance Burden by Bending C" by Mathias Krause](https://grsecurity.net/reducing_maintenance_burden_by_bending_c) [article] [2024: "BeeBox: Hardening BPF against Transient Execution Attacks" by Di Jin, Alexander J. Gaidis, and Vasileios P. Kemerlis](https://cs.brown.edu/~vpk/papers/beebox.sec24.pdf) [paper] [[code](https://gitlab.com/brown-ssl/beebox)] @@ -1950,7 +2014,13 @@ https://github.com/0xor0ne/awesome-list/ ## Misc -[2024: "Love and hate - The cyber tale between fuzzer and exploits in Linux kernel" by Zou Xiaochen](https://www.youtube.com/watch?v=cDcMlMH-XjU) [video] +[2024: "More Bang for Your Bug!" by Eduardo Vela and Space Meyer](https://docs.google.com/presentation/d/163DiKhThCTEb4Udv9FWfBQOiDtOXQHiCZ61pE-srBOw/present) [slides] [[video](https://www.youtube.com/watch?v=S0Wzy0Knw0M)] + +[2024: "Linux Kernel CVEs, What Has Caused So Many to Suddenly Show Up?" by Greg Kroah-Hartman](https://git.sr.ht/~gregkh/presentation-security/blob/main/security-stuff.pdf) [slides] [[video](https://www.youtube.com/watch?v=Rg_VPMT0XXw)] + +[2024: "Reverse Engineering a Kernel Driver chall: S01 E01"](https://www.youtube.com/watch?v=Ar4dZNL9rHE) [video] [[E02](https://www.youtube.com/watch?v=e7ydGxJ5fTQ)] + +[2024: "Love and hate - The cyber tale between fuzzer and exploits in Linux kernel" by Zou Xiaochen](https://www.youtube.com/watch?v=cDcMlMH-XjU) [video] [[slides](https://github.com/star-sg/OBO/blob/main/2024/Day%202/Love%20and%20hate%20-%20The%20cyber%20tale%20between%20fuzzer%20and%20exploits%20in%20Linux%20kernel.pptx)] [2024: "Reflections on RANDSTRUCT in GrapheneOS" by Julien Voisin](https://dustri.org/b/reflections-on-randstruct-in-grapheneos.html) [article] @@ -1970,7 +2040,7 @@ https://github.com/0xor0ne/awesome-list/ [2024: "Linux is a CNA" by Greg Kroah-Hartman](http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/) [article] -[2024: "An Investigation of Patch Porting Practices of the Linux Kernel Ecosystem"](https://arxiv.org/pdf/2402.05212.pdf) [paper] +[2024: "An Investigation of Patch Porting Practices of the Linux Kernel Ecosystem"](https://arxiv.org/pdf/2402.05212.pdf) [paper] [[video](https://www.youtube.com/watch?v=nE0QcLT3Tvs)] [2023: "Syzbot: 7 years of continuous kernel fuzzing" by Aleksandr Nogikh](https://lpc.events/event/17/contributions/1521/attachments/1272/2698/LPC'23_%20Syzbot_%207%20years%20of%20continuous%20kernel%20fuzzing.pdf) [slides] [[video](https://www.youtube.com/watch?v=sDMNEBoTtrI)] @@ -2055,3 +2125,5 @@ https://github.com/hardenedvault/ved-ebpf https://github.com/thebabush/linux-russian-roulette https://kspp.github.io/ + +https://github.com/androidoffsec/libdevbinder -- cgit v1.3