From 683c29505df800a77746c1414edd22c43315ee86 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Fri, 27 Apr 2018 19:19:31 +0200 Subject: Update README.md --- README.md | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 57 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 9d4567d..8640060 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,16 @@ Pull requests are welcome. ## Exploitation techniques +[2018: "Linux-Kernel-Exploit Stack Smashing"](http://tacxingxing.com/2018/02/15/linux-kernel-exploit-stack-smashing/) [article] + +[2018, HitB: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong](https://conference.hitb.org/hitbsecconf2018ams/materials/D1T2%20-%20Yong%20Wang%20&%20Yang%20Song%20-%20Rooting%20Android%208%20with%20a%20Kernel%20Space%20Mirroring%20Attack.pdf) [slides] + +[2018, BlackHat: "KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features" by Wang Yong](https://www.blackhat.com/docs/asia-18/asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf) [slides] + +[2018, OffensiveCon: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] + +[2018: "Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation"](https://arxiv.org/pdf/1802.07060.pdf) [paper] + [2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.youtube.com/watch?v=nqF_IjXg_uM) [video] [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides] @@ -28,6 +38,8 @@ Pull requests are welcome. [2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying"](https://www.internetsociety.org/sites/default/files/ndss2017_09-2_Lu_paper.pdf) [whitepaper] +[2017: "Breaking KASLR with perf" by Lizzie Dixon](https://blog.lizzie.io/kaslr-and-perf.html) [article] + [2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim](https://www.coresecurity.com/system/files/publications/2016/05/CSW2016%20-%20Getting%20Physical%20-%20Extended%20Version.pdf) [slides] [2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article] @@ -104,6 +116,10 @@ Pull requests are welcome. ### LPE +[2018: "Ubuntu kernel eBPF 0day analysis"](https://security.tencent.com/index.php/blog/msg/124) [article, CVE-2017-16995] + +[2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels"](https://ricklarabee.blogspot.de/2017/12/adapting-poc-for-cve-2017-1000112-to.html) [article, CVE-2017-1000112] + [2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides, CVE-2017-0403, CVE-2016-6787] [2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls](https://salls.github.io/Linux-Kernel-CVE-2017-5123/) [article, CVE-2017-5123] @@ -252,6 +268,13 @@ Pull requests are welcome. [2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story"](https://kernelbof.blogspot.de/2009/04/kernel-memory-corruptions-are-not-just.html) [article, CVE-2009-0065] +### Other + +[2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection"](https://alephsecurity.com/2017/05/23/nexus6-initroot/#anecdote-a-linux-kernel-out-of-bounds-write-cve-2017-1000363) [article, CVE-2017-1000363] + +[2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass"](https://alephsecurity.com/vulns/aleph-2017011) [article, CVE-2016-10277] + + ## Protection bypass techniques [2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](http://blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article] @@ -287,6 +310,8 @@ Pull requests are welcome. ## Defensive +[2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels"] (https://arxiv.org/pdf/1802.07062.pdf) [paper] + [2018, Linux Conf AU: "The State of Kernel Self Protection" by Kees Cook](https://outflux.net/slides/2018/lca/kspp.pdf) [slides] [2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [whitepaper] @@ -303,6 +328,8 @@ Pull requests are welcome. [2017: "Fine Grained Control-Flow Integrity for The Linux Kernel" by Sandro Rigo, Michalis Polychronakis, Vasileios Kemerlis](https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel.pdf) [slides] +[2016: "Thwarting unknown bugs: hardening features in the mainline Linux kernel" by Mark Rutland](https://elinux.org/images/8/87/Thwarting_Unknown_Bugs.pdf) [slides] + [2016: "Emerging Defense in Android Kernel" by James Fang](http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/) [article] [2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier](https://medium.com/@mxatone/randomizing-the-linux-kernel-heap-freelists-b899bb99c767#.3csq8t23s) [article] @@ -315,11 +342,17 @@ Pull requests are welcome. [2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat](https://access.redhat.com/articles/20484) [article] +[2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems"](https://pdos.csail.mit.edu/papers/chen-kbugs.pdf) [paper] + [2009, Phrack: "Linux Kernel Heap Tampering Detection" by Larry Highsmith](http://phrack.org/archives/issues/66/15.txt) [article] ## Fuzzing & detectors +[2018, BlackHat: "New Compat Vulnerabilities In Linux Device Drivers"](https://www.blackhat.com/docs/asia-18/asia-18-Ding-New-Compat-Vulnerabilities-In-Linux-Device-Drivers.pdf) [slides] + +[2018: "Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels"](http://www-users.cs.umn.edu/~kjlu/papers/deadline.pdf) [paper] + [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] [2017, Black Hat USA: "Evolutionary Kernel Fuzzing" by Richard Johnson](https://moflow.org/Presentations/Evolutionary%20Kernel%20Fuzzing-BH2017-rjohnson-FINAL.pdf) [slides] @@ -439,20 +472,8 @@ PlaidCTF 2013 (Servr): [writeup](http://blog.frizn.fr/plaidctf-2013/pwn-400-serv 0ctf2017: [source and exploit](https://github.com/lovelydream/0ctf2017_kernel_pwn) +0ctf2018: [writeup 1](http://blog.eadom.net/writeups/0ctf-2018-zerofs-writeup/), [writeup 2](http://ddaa.tw/0ctf_pwnable_478_zer0fs.html) -### Misc - -https://github.com/Fuzion24/AndroidKernelExploitationPlayground - -https://github.com/ReverseLab/kernel-pwn-challenge - -https://github.com/NoviceLive/research-rootkit - -https://github.com/djrbliss/libplayground - -[pwnable.kr tasks](http://pwnable.kr/play.php) (syscall, rootkit, softmmu, towelroot, kcrc, exynos) - -[RPISEC kernel labs](https://github.com/RPISEC/MBE/tree/master/src/lab10) ## Tools @@ -477,10 +498,32 @@ http://www.openwall.com/lkrg/ https://github.com/IAIK/meltdown -## Unsorted +### Misc + +https://github.com/Fuzion24/AndroidKernelExploitationPlayground + +https://github.com/ReverseLab/kernel-pwn-challenge + +https://github.com/NoviceLive/research-rootkit + +https://github.com/djrbliss/libplayground + +[pwnable.kr tasks](http://pwnable.kr/play.php) (syscall, rootkit, softmmu, towelroot, kcrc, exynos) + +[RPISEC kernel labs](https://github.com/RPISEC/MBE/tree/master/src/lab10) + +https://github.com/hackedteam https://github.com/mncoppola/Linux-Kernel-CTF https://crowell.github.io/blog/2014/11/24/hosting-a-local-kernel-ctf-challenge/ https://github.com/ukanth/afwall/wiki/Kernel-security + +https://github.com/a13xp0p0v/linux-kernel-defence-map + +https://github.com/kmcallister/alameda + +https://github.com/01org/jit-spray-poc-for-ksp + +https://forums.grsecurity.net/viewforum.php?f=7 -- cgit v1.3