From 9221d3666f12a4040066e00b8c91f3b1c51800ab Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Sat, 2 Sep 2023 02:39:35 +0200
Subject: July/August updates

---
 README.md | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 31e4390..dd512f6 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,16 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Exploitation
 
+[2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]
+
+[2023: "Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features" by Yong Wang](https://i.blackhat.com/BH-US-23/Presentations/US-23-WANG-The-Art-of-Rooting-Android-devices-by-GPU-MMU-features.pdf) [slides]
+
+[2023: "A new method for container escape using file-based DirtyCred" by Choo Yi Kai](https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/) [article]
+
+[2023: "prctl anon_vma_name: An Amusing Linux Kernel Heap Spray" by Cherie-Anne Lee](https://starlabs.sg/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/) [article]
+
+[2023: "Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel" by Nicolas Wu](https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html) [article]
+
 [2023: "Exploit Engineering – Attacking the Linux Kernel" by Alex Plaskett and Cedric Halbronn](https://research.nccgroup.com/wp-content/uploads/2023/05/exploit-engineering-linux-kernel.pdf) [slides] [[video](https://www.youtube.com/watch?v=9wgHENj_YNk)]
 
 [2023: "Algorithmic Heap Layout Manipulation in the Linux Kernel" by Max Ufer and Daniel Baier](https://escholarship.org/content/qt8ss3f7w1/qt8ss3f7w1.pdf) [paper] [[artifacts](https://github.com/fkie-cad/Algorithmic-Heap-Layout-Manipulation-in-the-Linux-Kernel)]
@@ -229,6 +239,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Protection Bypasses
 
+[2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]
+
+[2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article]
+
 [2023: "EPF: Evil Packet Filter" by Di Jin, Vaggelis Atlidakis, and Vasileios P. Kemerlis](https://cs.brown.edu/~vpk/papers/epf.atc23.pdf) [paper]
 
 [2023: "Bypassing SELinux with init_module" by Sean Pesce](https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html) [article]
@@ -346,6 +360,26 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2023: "Google: Security Research: CVE-2023-3390](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/docs) [article] [CVE-2023-3390]
+
+[2023: "Google: Security Research: CVE-2023-0461](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf/CVE-2023-0461_mitigation/docs) [article] [CVE-2023-0461]
+
+[2023: "Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023" by Tanguy Dubroca](https://www.synacktiv.com/publications/old-bug-shallow-bug-exploiting-ubuntu-at-pwn2own-vancouver-2023) [article] [CVE-2023-35001]
+
+[2023: "Linux Kernel Exploit (CVE-2022–32250) with mqueue"](https://blog.theori.io/linux-kernel-exploit-cve-2022-32250-with-mqueue-a8468f32aab5) [article] [CVE-2022–32250]
+
+[2023: "Bad io_uring: A New Era of Rooting for Android" by Zhenpeng Lin](https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf) [slides] [CVE-2022-20409]
+
+[2023: "CVE-2023-3389 - LinkedPoll" by Querijn Voet](https://qyn.app/posts/CVE-2023-3389/) [article] [CVE-2023-3389]
+
+[2023: "GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux" by Sagi Tzadik and Shir Tamari](https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability) [article] [CVE-2023-2640] [CVE-2023-32629]
+
+[2023: "StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability" by Ruihan Li](https://github.com/lrh2000/StackRot) [article] [CVE-2023-3269]
+
+[2023: "No CVE for this. It has never been in the official kernel"](https://soez.github.io/posts/no-cve-for-this.-It-has-never-been-in-the-official-kernel/) [article]
+
+[2023: "CVE-2020-27786 exploitation userfaultfd + patching file struct etc passwd"](https://soez.github.io/posts/CVE-2020-27786-exploitation-userfaultfd-+-patching-file-struct-etc-passwd/) [article] [CVE-2020-27786]
+
 [2023: "Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability" by Vu Thi Lan](https://starlabs.sg/blog/2023/06-breaking-the-code-exploiting-and-examining-cve-2023-1829-in-cls_tcindex-classifier-vulnerability/) [article] [CVE-2023-1829]
 
 [2023: "CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"](https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html) [article] [CVE-2023-2008]
@@ -770,6 +804,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2023: "CVE-2023-4273: a vulnerability in the Linux exFAT driver" by Maxim Suhanov](https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver/) [article] [CVE-2023-4273]
+
 [2023: "Linux IPv6 'Route of Death' 0day" by Max VA](https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death) [article] [CVE-2023-2156]
 
 [2022: "Linux Kernel: Infoleak in Bluetooth L2CAP Handling"](https://github.com/google/security-research/security/advisories/GHSA-vccx-8h74-2357) [advisory] [CVE-2022-42895]
@@ -833,6 +869,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2023: "DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing"](https://www.usenix.org/system/files/usenixsecurity23-yuan-ming.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_yuan.pdf)]
+
+[2023: "BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing"](https://www.usenix.org/system/files/usenixsecurity23-cho.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_cho-mingi.pdf)] [[artifacts](https://github.com/seclab-yonsei/BoKASAN)]
+
+[2023: "FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules](https://www.usenix.org/system/files/usenixsecurity23-angelakopoulos.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_angelakopoulos.pdf)]
+
+[2023: "ACTOR: Action-Guided Kernel Fuzzing"](https://www.usenix.org/system/files/usenixsecurity23-fleischer.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_fleischer.pdf)] [[artifacts](https://github.com/ucsb-seclab/actor)]
+
 [2023: "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel" by Jakob Koschel, Pietro Borrello, et al.](https://download.vusec.net/papers/uncontained_sec23.pdf) [paper]
 
 [2023: "KIT: Testing OS-Level Virtualization for Functional Interference Bugs"](https://dl.acm.org/doi/pdf/10.1145/3575693.3575731) [paper]
@@ -1074,6 +1118,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2023: "Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness"](https://www.usenix.org/system/files/usenixsecurity23-wu-yuhang.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_wu-yuhang.pdf)]
+
 [2023: "Progress On Bounds Checking in C and the Linux Kernel" by Kees Cook & Gustavo A. R. Silva](https://outflux.net/slides/2023/lss-na/bounds-checking.pdf) [slides] [[video](https://www.youtube.com/watch?v=V2kzptQG5_A)]
 
 [2023: "Mobile Exploitation - The past, present, and the future" by Ki Chan Ahn](https://github.com/externalist/presentations/blob/master/2023%20Zer0con/Mobile%20Exploitation%2C%20the%20past%2C%20present%2C%20and%20future.pdf) [slides]
@@ -1351,6 +1397,8 @@ https://github.com/lanleft/CVE2023-1829
 
 https://github.com/TurtleARM/CVE-2023-3338
 
+https://github.com/kungfulon/nf-tables-lpe
+
 
 ## Tools
 
@@ -1469,6 +1517,10 @@ https://github.com/nccgroup/libslub
 
 HackTheBox (knote): [writeup](https://pwning.tech/knote/)
 
+corCTF 2023 (sysruption): [writeup](https://www.willsroot.io/2023/08/sysruption.html)
+
+corCTF 2023 (zeroday, kcipher): [writeup](https://blog.libh0ps.so/2023/08/02/corCTF2023.html)
+
 BFS Ekoparty 2022 (blunder): [writeup](https://klecko.github.io/posts/bfs-ekoparty-2022/)
 
 D^3CTF 2022 (d3bpf): [writeup](https://stdnoerr.github.io/writeup/2022/08/21/eBPF-exploitation-(ft.-D-3CTF-d3bpf).html), [writeup 2](https://github.com/chujDK/d3ctf2022-pwn-d3bpf-and-v2)
@@ -1609,6 +1661,8 @@ https://github.com/a13xp0p0v/kernel-hack-drill
 
 https://github.com/pr0cf5/kernel-exploit-practice
 
+https://github.com/hardik05/Damn_Vulnerable_Kernel_Module
+
 
 ### Infrastructure
 
@@ -1617,8 +1671,19 @@ https://github.com/mncoppola/Linux-Kernel-CTF
 https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting-a-local-kernel-ctf-challenge.markdown
 
 
+## Other lists
+
+[grsecurity/PaX Citations in Academic Research](https://grsecurity.net/research.php)
+
+https://github.com/0xricksanchez/paper_collection
+
+https://github.com/NetKingJ/awesome-android-security
+
+
 ## Misc
 
+[2023: "What is a 'good' Linux Kernel bug?" by Ben Hawkes](https://blog.isosceles.com/what-is-a-good-linux-kernel-bug/) [article]
+
 [2023: "Analysing Linux Kernel Commits"](https://sam4k.com/analysing-linux-kernel-commits/) [article]
 
 [2022: "Mind the Gap" by Ian Beer](https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html) [article]
@@ -1653,8 +1718,6 @@ https://github.com/hackedteam
 
 https://forums.grsecurity.net/viewforum.php?f=7
 
-https://grsecurity.net/research.php
-
 https://github.com/jameshilliard/linux-grsec/
 
 https://www.youtube.com/c/dayzerosec/videos
@@ -1680,3 +1743,9 @@ https://github.com/ameetsaahu/Kernel-exploitation
 https://github.com/cmu-pasta/linux-kernel-enriched-corpus
 
 https://github.com/niveb/NoCrypt
+
+https://github.com/heki-linux
+
+https://twitter.com/sirdarckcat/status/1681924752800366592
+
+https://github.com/hardenedvault/ved-ebpf
-- 
cgit v1.3