From 7d8810cc2b3d2978040e069dc4df2c006010bae5 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Tue, 2 Jul 2024 22:14:56 +0200
Subject: May/June updates

---
 README.md | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6c8a48e..6131a6f 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Exploitation
 
+[2024: "Binary Exploitation Notes: Kernel" by Andrej Ljubic](https://ir0nstone.gitbook.io/notes/types/kernel) [articles]
+
 [2024: "Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation"](https://arxiv.org/pdf/2406.02624) [paper]
 
 [2024: "GhostRace: Exploiting and Mitigating Speculative Race Conditions"](https://www.vusec.net/projects/ghostrace/) [paper]
@@ -86,7 +88,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "Algorithmic Heap Layout Manipulation in the Linux Kernel" by Max Ufer and Daniel Baier](https://escholarship.org/content/qt8ss3f7w1/qt8ss3f7w1.pdf) [paper] [[artifacts](https://github.com/fkie-cad/Algorithmic-Heap-Layout-Manipulation-in-the-Linux-Kernel)]
 
-[2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi](https://conference.hitb.org/hitbsecconf2023ams/materials/D2%20COMMSEC%20-%20The%20Return%20of%20Stack%20Overflows%20in%20the%20Linux%20Kernel%20-%20Davide%20Ornaghi.pdf) [slides]
+[2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi](https://conference.hitb.org/hitbsecconf2023ams/materials/D2%20COMMSEC%20-%20The%20Return%20of%20Stack%20Overflows%20in%20the%20Linux%20Kernel%20-%20Davide%20Ornaghi.pdf) [slides] [[video](https://www.youtube.com/watch?v=5b9UlBrzvG0)]
 
 [2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html) [article]
 
@@ -269,6 +271,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Protection Bypasses
 
+[2024: "TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution" by Juhee Kim et al.](https://arxiv.org/pdf/2406.08719) [paper] [[code](https://github.com/compsec-snu/tiktag)]
+
 [2023: "Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation"](https://download.vusec.net/papers/slam_sp24.pdf) [paper]
 
 [2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article]
@@ -400,6 +404,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2024: "Driving forward in Android drivers" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html) [article] [[video](https://archive.org/details/shmoocon2024/Shmoocon2024-SethJenkins-Driving_Forward_in_Android_Drivers.mp4)] [CVE-2023-32837] [CVE-2023-32832]
+
+[2024: "Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938" by Eugene Rodionov, Zi Fan Tan, and Gulshan Singh](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/) [article] [CVE-2023-20938]
+
+[2024: "How to Fuzz Your Way to Android Universal Root: Attacking Android Binder" by Eugene Rodionov and Zi Fan Tan](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/offensivecon_24_binder.pdf) [slides] [[video](https://www.youtube.com/watch?v=U-xSM159YLI)] [CVE-2023-20938]
+
+[2024: "Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation"](https://ssd-disclosure.com/ssd-advisory-linux-kernel-nft_validate_register_store-integer-overflow-privilege-escalation/) [article] [CVE-UNKNOWN]
+
+[2024: "Game of Cross Cache: Let's win it in a more effective way!" by Le Wu](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Wu-Game-of-Cross-Cache.pdf) [slides] [CVE-2023-21400]
+
+[2024: "LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules" by Chao Ma et al.](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Ma-LinkDoor-A-Hidden-Attack.pdf) [slides] [CVE-2023-32878] [CVE-2023-32882]
+
 [2024: "Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques" by notselwyn](https://pwning.tech/nftables/) [article] [[exploit](https://github.com/Notselwyn/CVE-2024-1086)] [CVE-2024-1086]
 
 [2024: "64 bytes and a ROP chain – A journey through nftables" by Davide Ornaghi](https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-1/) [article] [[part 2](https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-2/)] [[exploit](https://github.com/TurtleARM/CVE-2023-0179-PoC)] [CVE-2023-0179]
@@ -880,6 +896,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2024: "Race condition in 9p file system"](https://r00tkitsmm.github.io/fuzzing/2024/05/29/Race-into-9p.html) [article]
+
 [2024: "Notes about ZDI-24-195 in ksmbd"](https://twitter.com/Shiftreduce/status/1773385937893896206) [thread] [ZDI-24-195]
 
 [2024: "PowerVR GPU - GPU Firmware may overwrite arbitrary kernel pages by RGXCreateFreeList"](https://bugs.chromium.org/p/apvi/issues/detail?id=140) [report]
@@ -959,6 +977,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2024: "So You Wanna Find Bugs In The Linux Kernel?" by Sam Page](https://github.com/sam4k/talk-slides/blob/main/so_you_wanna_find_bugs_in_the_linux_kernel.pdf) [slides]
+
+[2024: "A bug hunter's reflections on fuzzing" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-Reflections_on_Fuzzing.pdf) [slides] [[video](https://www.youtube.com/watch?v=wTbFmdx7wG8)]
+
+[2024: "To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux’ Wireless Stacks through VirtIO Devices" by Sonke Huster et al.](https://www.uni-goettingen.de/de/document/download/6b0d1e9d8e2fb7f57cc1a2fab1b071e7.pdf/huster_S&P24.pdf) [paper] [[code](https://github.com/seemoo-lab/VirtFuzz)]
+
 [2024: "Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller" by Alon Zavahi](https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller) [article] [[slides](https://download.scrt.ch/insomnihack/ins24-slides/Syzkaller%20NVMe-oF.pdf)] [[video](https://www.youtube.com/watch?v=Jc25CM1Ppgo)]
 
 [2024: "Structure-Aware linux kernel Fuzzing with libFuzzer"](https://r00tkitsmm.github.io/fuzzing/2024/03/27/libffuzzerkernel.html) [article]
@@ -1230,6 +1254,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2024: "On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)" by Davide Davoli et al.](https://arxiv.org/pdf/2406.07278) [paper]
+
+[2024: "Challenges and innovations towards safer flexible arrays in the Linux Kernel" by Gustavo A. R. Silva](https://embeddedor.com/slides/2024/llc/llc2024.pdf) [slides]
+
 [2024: "Mitigating Integer Overflow in C" by Kees Cook](https://outflux.net/slides/2024/lss-na/) [slides] [[video](https://www.youtube.com/watch?v=PLcZkgHCk90)]
 
 [2024: "Gaining bounds-checking on trailing arrays in the Upstream Linux Kernel" by Gustavo A. R. Silva](https://embeddedor.com/slides/2024/eo/eo2024.pdf) [slides]
@@ -1533,6 +1561,10 @@ https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582
 
 https://github.com/YuriiCrimson/ExploitGSM/ [[notes](https://mastodon.social/@gabe_k/112251322421680553)] [[discussion](https://www.openwall.com/lists/oss-security/2024/04/10/18)]
 
+https://github.com/roddux/germy
+
+https://github.com/renorobert/tagbleedvmm
+
 
 ## Tools
 
@@ -1574,6 +1606,8 @@ https://github.com/sslab-gatech/janus
 
 https://github.com/google/buzzer
 
+https://github.com/h0mbre/Lucid
+
 
 ### Assorted
 
@@ -1850,6 +1884,10 @@ https://github.com/0xor0ne/awesome-list/
 
 ## Misc
 
+[2024: "silent syscall hooking on arm64 linux via patching svc handler"](https://tmpout.sh/3/23.html) [article]
+
+[2024: "CVE-2021-4440: A Linux CNA Case Study" by Brad Spengler](https://grsecurity.net/cve-2021-4440_linux_cna_case_study) [article]
+
 [2024: "Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config" by Vegard Nossum](https://www.openwall.com/lists/oss-security/2024/04/17/3) [article]
 
 [2024: "Demo showing Claude Opus does not find CVE-2023-0266" by Sean Heelan](https://github.com/SeanHeelan/claude_opus_cve_2023_0266) [article]
-- 
cgit v1.3