From ae1a8dafa8603fd24a4c7d25aa9df99786d920e0 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Wed, 23 Dec 2020 18:28:19 +0100 Subject: Move conference names Put conference names after talk titles to make the titles more readable. --- README.md | 116 ++++++++++++++++++++++++++++++-------------------------------- 1 file changed, 57 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index c4920b9..7548626 100644 --- a/README.md +++ b/README.md @@ -27,11 +27,11 @@ Pull requests are welcome. [2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] -[2019, Black Hat Europe: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)] +[2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)] [2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing](http://personal.psu.edu/yxc431/publications/SLAKE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/SLAKE.pdf)] -[2019, Linux Security Summit EU: "Exploiting Race Conditions Using the Scheduler" by Jann Horn](https://static.sched.com/hosted_files/lsseu2019/04/LSSEU2019%20-%20Exploiting%20race%20conditions%20on%20Linux.pdf) [slides] [[video](https://www.youtube.com/watch?v=MIJL5wLUtKE)] +[2019: "Exploiting Race Conditions Using the Scheduler" by Jann Horn at Linux Security Summit EU](https://static.sched.com/hosted_files/lsseu2019/04/LSSEU2019%20-%20Exploiting%20race%20conditions%20on%20Linux.pdf) [slides] [[video](https://www.youtube.com/watch?v=MIJL5wLUtKE)] [2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities"](https://www.usenix.org/sites/default/files/conference/protected-files/sec19_slides_wu-wei.pdf) [slides] [[video](https://www.youtube.com/watch?v=4b_GbFs5XZI)] [[paper](https://www.usenix.org/system/files/sec19-wu-wei.pdf)] @@ -45,9 +45,9 @@ Pull requests are welcome. [2018: "Entering God Mode  -  The Kernel Space Mirroring Attack"](https://hackernoon.com/entering-god-mode-the-kernel-space-mirroring-attack-8a86b749545f) [article] -[2018, HitB: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong](https://conference.hitb.org/hitbsecconf2018ams/materials/D1T2%20-%20Yong%20Wang%20&%20Yang%20Song%20-%20Rooting%20Android%208%20with%20a%20Kernel%20Space%20Mirroring%20Attack.pdf) [slides] +[2018: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong at HitB](https://conference.hitb.org/hitbsecconf2018ams/materials/D1T2%20-%20Yong%20Wang%20&%20Yang%20Song%20-%20Rooting%20Android%208%20with%20a%20Kernel%20Space%20Mirroring%20Attack.pdf) [slides] -[2018, BlackHat: "KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features" by Wang Yong](https://www.blackhat.com/docs/asia-18/asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf) [slides] +[2018: "KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features" by Wang Yong at BlackHat](https://www.blackhat.com/docs/asia-18/asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf) [slides] [2018: "Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation"](https://arxiv.org/pdf/1802.07060.pdf) [paper] @@ -77,13 +77,13 @@ Pull requests are welcome. [2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/) [article] -[2016, Ruxcon: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko](https://ruxcon.org.au/assets/2016/slides/ruxcon2016-Vitaly.pdf) [slides] +[2016: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko at Ruxcon](https://ruxcon.org.au/assets/2016/slides/ruxcon2016-Vitaly.pdf) [slides] [2016: "Using userfaultfd" by Lizzie Dixon](https://blog.lizzie.io/using-userfaultfd.html) [article] -[2016, DEF CON 24: "Direct Memory Attack the Kernel" by Ulf Frisk](https://www.youtube.com/watch?v=fXthwl6ShOg) [video] +[2016: "Direct Memory Attack the Kernel" by Ulf Frisk at DEF CON](https://www.youtube.com/watch?v=fXthwl6ShOg) [video] -[2016, Black Hat: "Randomization Can't Stop BPF JIT Spray" by Elena Reshetova](https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray.pdf) [slides] [[video](https://www.youtube.com/watch?v=_F7iQQ1Um2M)] [[paper](https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf)] +[2016: "Randomization Can't Stop BPF JIT Spray" by Elena Reshetova at Black Hat](https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray.pdf) [slides] [[video](https://www.youtube.com/watch?v=_F7iQQ1Um2M)] [[paper](https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf)] [2015: "Kernel Data Attack is a Realistic Security Threat"](https://www.eecis.udel.edu/~hnw/paper/kerneldata.pdf) [paper] @@ -91,7 +91,7 @@ Pull requests are welcome. [2015: "Linux Kernel Exploitation" by Patrick Biernat](http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/23/13_lecture.pdf) [slides] -[2013, Black Hat USA: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation"](https://www.youtube.com/watch?v=Of6DemoMLaA) +[2013: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation" at Black Hat](https://www.youtube.com/watch?v=Of6DemoMLaA) [2013: "Exploiting linux kernel heap corruptions" by Mohamed Channam](http://resources.infosecinstitute.com/exploiting-linux-kernel-heap-corruptions-slub-allocator/) [article] @@ -115,19 +115,19 @@ Pull requests are welcome. [2010: "Exploiting Stack Overflows in the Linux Kernel" by Jon Oberheide](https://jon.oberheide.org/blog/2010/11/29/exploiting-stack-overflows-in-the-linux-kernel/) [article] -[2010, SOURCE Boston: "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" by Jon Oberheide](https://jon.oberheide.org/files/source10-linuxkernel-jonoberheide.pdf) [slides] +[2010: "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" by Jon Oberheide at SOURCE Boston](https://jon.oberheide.org/files/source10-linuxkernel-jonoberheide.pdf) [slides] -[2009, CanSecWest: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes](https://www.cr0.org/paper/to-jt-party-at-ring0.pdf) [slides] +[2009: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes at CanSecWest](https://www.cr0.org/paper/to-jt-party-at-ring0.pdf) [slides] [2007: "Kernel-mode exploits primer" by Sylvester Keil and Clemens Kolbitsch](http://old.iseclab.org/projects/vifuzz/docs/exploit.pdf) [paper] -[2007, Phrack: "Attacking the Core : Kernel Exploiting Notes"](http://phrack.org/archives/issues/64/6.txt) [article] +[2007: "Attacking the Core : Kernel Exploiting Notes"](http://phrack.org/archives/issues/64/6.txt) [article] [2007: "The story of exploiting kmalloc() overflows"](http://www.ouah.org/kmallocstory.html) [article] [2007: "Linux 2.6 Kernel Exploits" by Stephane Duverger](https://airbus-seclab.github.io/kernsploit/kernel_exploit_syscan07.pdf) [slides] -[2005, CancSecWest: "Large memory management vulnerabilities" by Gael Delalleau](https://cansecwest.com/core05/memory_vulns_delalleau.pdf) [slides] +[2005: "Large memory management vulnerabilities" by Gael Delalleau at CancSecWest](https://cansecwest.com/core05/memory_vulns_delalleau.pdf) [slides] [2005: "The story of exploiting kmalloc() overflows"](https://argp.github.io/public/kmalloc_exploitation.pdf) [article] @@ -168,15 +168,15 @@ Pull requests are welcome. [2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes](https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html) [article, CVE-2020-11179] -[2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)] +[2020: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong at Black Hat](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)] [2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041] -[2020, THCON: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou](https://www.synacktiv.com/ressources/thcon2020_binder.pdf) [slides, CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041] +[2020: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou at THCON](https://www.synacktiv.com/ressources/thcon2020_binder.pdf) [slides, CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041] [2020: "Exploiting CVE-2020-0041 - Part 2: Escalating to root" by Eloi Sanfelix and Jordan Gruskovnjak](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/) [article, CVE-2020-0041] -[2020, OffensiveCon: "A bug collision tale" by Eloi Sanfelix](https://labs.bluefrostsecurity.de/files/OffensiveCon2020_bug_collision_tale.pdf) [slides, CVE-2019-2025] [[video](https://www.youtube.com/watch?v=WOdRkZwGYDQ)] +[2020: "A bug collision tale" by Eloi Sanfelix at OffensiveCon](https://labs.bluefrostsecurity.de/files/OffensiveCon2020_bug_collision_tale.pdf) [slides, CVE-2019-2025] [[video](https://www.youtube.com/watch?v=WOdRkZwGYDQ)] [2020: "CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification" by Manfred Paul](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) [article, CVE-2020-8835] @@ -194,7 +194,7 @@ Pull requests are welcome. [2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/6853) [article, CVE-2019-2215] -[2019, Linux Security Summit EU: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen](https://www.youtube.com/watch?v=MYEAGmP_id4) [video, CVE-2017-16995, CVE-2017-10661] +[2019: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen at Linux Security Summit EU](https://www.youtube.com/watch?v=MYEAGmP_id4) [video, CVE-2017-16995, CVE-2017-10661] [2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez](https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/) [article, CVE-2019-2215] @@ -222,7 +222,7 @@ Pull requests are welcome. [2018: "A cache invalidation bug in Linux memory management" by Jann Horn](https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html) [article, CVE-2018-17182] -[2018, beVX: "Dissecting a 17-year-old kernel bug" by Vitaly Nikolenko](https://cyseclabs.com/slides/bevx-talk.pdf) [slides, CVE-2018-6554, CVE-2018-6555] +[2018: "Dissecting a 17-year-old kernel bug" by Vitaly Nikolenko at beVX](https://cyseclabs.com/slides/bevx-talk.pdf) [slides, CVE-2018-6554, CVE-2018-6555] [2018: "SSD Advisory – IRDA Linux Driver UAF"](https://blogs.securiteam.com/index.php/archives/3759) [article, CVE-2018-6554, CVE-2018-6555] @@ -278,13 +278,13 @@ Pull requests are welcome. [2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson](http://seclists.org/oss-sec/2016/q4/607) [announcement, CVE-2016-8655] -[2016, Black Hat: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang](https://speakerdeck.com/retme7/rooting-every-android-from-extension-to-exploitation) [slides, CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453] +[2016: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang at Black Hat](https://speakerdeck.com/retme7/rooting-every-android-from-extension-to-exploitation) [slides, CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453] [2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu](https://speakerdeck.com/retme7/talk-is-cheap-show-me-the-code) [slides, CVE-2015-1805] [2016: "CVE-2016-3873: Arbitrary Kernel Write in Nexus 9" by Sagi Kedmi](https://sagi.io/2016/09/cve-2016-3873-arbitrary-kernel-write-in-nexus-9/) [article, CVE-2016-3873] -[2016, Project Zero: "Exploiting Recursion in the Linux Kernel" by Jann Horn](https://googleprojectzero.blogspot.de/2016/06/exploiting-recursion-in-linux-kernel_20.html) [article, CVE-2016-1583] +[2016: "Exploiting Recursion in the Linux Kernel" by Jann Horn](https://googleprojectzero.blogspot.de/2016/06/exploiting-recursion-in-linux-kernel_20.html) [article, CVE-2016-1583] [2016: "ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)" By Perception Point Research Team](http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/) [article, CVE-2016-0728] @@ -300,13 +300,11 @@ Pull requests are welcome. [2016: "CVE-2014-2851 group_info UAF Exploitation" by Vitaly Nikolenko](https://cyseclabs.com/page?n=02012016) [article, CVE-2014-2851] -[2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu](https://conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/D2T2-Wish-Wu-Perf-From-Profiling-to-Kernel-Exploiting.pdf) [slides, CVE-2016-0819] - -[2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu](https://www.youtube.com/watch?v=37v14rMtALs) [video, CVE-2016-0819] +[2016: "Perf: From Profiling To Kernel Exploiting" by Wish Wu at HITB Ams](https://conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/D2T2-Wish-Wu-Perf-From-Profiling-to-Kernel-Exploiting.pdf) [slides, CVE-2016-0819] [[video](https://www.youtube.com/watch?v=37v14rMtALs)] [2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES"](https://www.blackhat.com/docs/eu-16/materials/eu-16-Donenfeld-Stumping-The-Mobile-Chipset-wp.pdf) [article, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340] -[2016, DEF CON: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf) [slides, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340] +[2016: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld at DEF CON](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf) [slides, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340] [2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/android-linux-kernel-privilege.html) [article, CVE-2014-4322] @@ -314,11 +312,11 @@ Pull requests are welcome. [2015: "Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322)" by Adam Zabrocki](http://blog.pi3.com.pl/?p=509) [article, CVE-2014-9322] -[2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu](https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back.pdf) [slides, CVE-2015-3636] [[video](https://www.youtube.com/watch?v=HVP1c7Ct1nM)] [[paper](https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back-wp.pdf)] +[2015: "Ah! Universal Android Rooting Is Back" by Wen Xu at Black Hat](https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back.pdf) [slides, CVE-2015-3636] [[video](https://www.youtube.com/watch?v=HVP1c7Ct1nM)] [[paper](https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back-wp.pdf)] [2015: "When is something overflowing" by Keen Team](https://www.slideshare.net/PeterHlavaty/overflow-48573748) [slides] -[2015, Project Zero: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien](https://googleprojectzero.blogspot.de/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) [article, rowhammer] +[2015: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien](https://googleprojectzero.blogspot.de/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) [article, rowhammer] [2015: "CVE-2014-4943 - PPPoL2TP DoS Analysis" by Vitaly Nikolenko](https://cyseclabs.com/page?n=01102015) [article, CVE-2014-4943] @@ -342,7 +340,7 @@ Pull requests are welcome. [2012: "Linux Local Privilege Escalation via SUID /proc/pid/mem Write" by Jason Donenfeld](https://git.zx2c4.com/CVE-2012-0056/about/) [article, CVE-2012-0056] -[2011, DEF CON 19: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook](https://www.defcon.org/images/defcon-19/dc-19-presentations/Cook/DEFCON-19-Cook-Kernel-Exploitation.pdf) [slides, CVE-2010-2963] [[video](https://www.youtube.com/watch?v=jg-wnwnkbsy)] +[2011: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook at DEF CON](https://www.defcon.org/images/defcon-19/dc-19-presentations/Cook/DEFCON-19-Cook-Kernel-Exploitation.pdf) [slides, CVE-2010-2963] [[video](https://www.youtube.com/watch?v=jg-wnwnkbsy)] [2010: "CVE-2010-2963 v4l compat exploit" by Kees Cook](https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/) [article, CVE-2010-2963] @@ -385,7 +383,7 @@ Pull requests are welcome. [2016: "CVE Publication: CVE 2016-8633" by Eyal Itkin](https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/) [article, CVE-2016-8633] -[2011, DEF CON 19: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011"](http://cs.dartmouth.edu/~sergey/cs258/2012/Dan-Rosenberg-lecture.pdf) [slides, CVE-2011-1493] [[video](https://www.youtube.com/watch?v=kBjD0HITQZA)] +[2011: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" at DEF CON](http://cs.dartmouth.edu/~sergey/cs258/2012/Dan-Rosenberg-lecture.pdf) [slides, CVE-2011-1493] [[video](https://www.youtube.com/watch?v=kBjD0HITQZA)] [2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story"](https://kernelbof.blogspot.de/2009/04/kernel-memory-corruptions-are-not-just.html) [article, CVE-2009-0065] @@ -429,29 +427,29 @@ Pull requests are welcome. [2020: "PAN: Another day, another broken mitigation" by Siguza](https://siguza.github.io/PAN/) [article] -[2019, POC: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You](http://powerofcommunity.net/poc2019/x82.pdf) [slides] +[2019: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You at PoC](http://powerofcommunity.net/poc2019/x82.pdf) [slides] [2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html) [article] [2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article] -[2016, KIWICON: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko](https://cyseclabs.com/slides/smep_bypass.pdf) [slides] +[2016: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko at KIWICON](https://cyseclabs.com/slides/smep_bypass.pdf) [slides] [2016: "Micro architecture attacks on KASLR" by Anders Fogh"](https://cyber.wtf/2016/10/25/micro-architecture-attacks-on-kasrl/) [article] [2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh](http://www.cs.ucr.edu/~nael/pubs/micro16.pdf) [slides] -[2016, CCS: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard](https://www.youtube.com/watch?v=TJTQbs3oJx8) [video] +[2016: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard at CCS](https://www.youtube.com/watch?v=TJTQbs3oJx8) [video] -[2016, Black Hat USA: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process"](https://www.youtube.com/watch?v=T3kmq2NLpH4) [video] +[2016: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at Black Hat](https://www.youtube.com/watch?v=T3kmq2NLpH4) [video] -[2016, Black Hat USA: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim](https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf) [slides] [[video](https://www.youtube.com/watch?v=rtuXG28g0CU)] +[2016: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim at Black Hat](https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf) [slides] [[video](https://www.youtube.com/watch?v=rtuXG28g0CU)] [2016: "Breaking KASLR with micro architecture" by Anders Fogh](https://dreamsofastone.blogspot.ru/2016/02/breaking-kasrl-with-micro-architecture.html) [article] [2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/effectively-bypassing-kptrrestrict-on.html) [article] -[2014, Black Hat Europe: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis, Angelos D. Keromytis](https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation-wp.pdf) [paper] [[video](https://www.youtube.com/watch?v=kot-EQ9zf9k)] +[2014: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis and Angelos D. Keromytis at Black Hat Europe](https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation-wp.pdf) [paper] [[video](https://www.youtube.com/watch?v=kot-EQ9zf9k)] [2013: "A Linux Memory Trick" by Dan Rosenberg](http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/) [article] @@ -464,21 +462,21 @@ Pull requests are welcome. [2020: "State of Linux kernel security" by Dmitry Vyukov](https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=PGwFyzh2KTA&t=1233)] -[2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides] +[2020: "LKRG IN A NUTSHELL" by Adam Zabrocki at OSTconf](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides] -[2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] +[2020: "syzkaller / sanitizers: status update" by Dmitry Vyukov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] -[2020, Linux Plumbers: "Following the Linux Kernel Defence Map" by Alexander Popov](https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf) [slides] [[video](https://www.youtube.com/watch?v=4c01jjbQmBc&t=8555)] +[2020: "Following the Linux Kernel Defence Map" by Alexander Popov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf) [slides] [[video](https://www.youtube.com/watch?v=4c01jjbQmBc&t=8555)] [2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov](https://docs.google.com/presentation/d/10V_msbtEap9dNerKvTrRAzvfzYdrQFC8e2NYHCZYJDE/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=f-Rm7JFsJGI)] [2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler](https://grsecurity.net/10_years_of_linux_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=F_Kza6fdkSU)] -[2020, linux.conf.au: "Control Flow Integrity in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2020/lca/cfi.pdf) [slides] [[video](https://www.youtube.com/watch?v=0Bj6W7qrOOI)] +[2020: "Control Flow Integrity in the Linux Kernel" by Kees Cook at linux.conf.au](https://outflux.net/slides/2020/lca/cfi.pdf) [slides] [[video](https://www.youtube.com/watch?v=0Bj6W7qrOOI)] [2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel"](https://arxiv.org/pdf/1912.04145v1.pdf) [paper] -[2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] +[2019: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa at Linux Security Summit EU](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] [2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/) [articles] @@ -500,23 +498,23 @@ Pull requests are welcome. [2018: "Overview and Recent Developments: Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2018/lss-eu/kspp.pdf) [slides] -[2018, beVX: "The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone" by Seunghun Han](https://github.com/kkamagui/papers/blob/master/bevx-2018/presentation.pdf) [video] +[2018: "The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone" by Seunghun Han at beVX](https://github.com/kkamagui/papers/blob/master/bevx-2018/presentation.pdf) [video] -[2018, CONFidence: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam "pi3" Zabrocki](https://www.openwall.com/presentations/CONFidence2018-LKRG-Under-The-Hood/CONFidence2018-LKRG-Under-The-Hood.pdf) [slides, [video](https://www.youtube.com/watch?v=tOiPM692DOM)] +[2018: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam Zabrocki at CONFidence](https://www.openwall.com/presentations/CONFidence2018-LKRG-Under-The-Hood/CONFidence2018-LKRG-Under-The-Hood.pdf) [slides, [video](https://www.youtube.com/watch?v=tOiPM692DOM)] [2018: "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM"](https://vvdveen.com/publications/dimva2018.pdf) [paper] -[2018, BlackHat: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse"](https://www.youtube.com/watch?v=L-3eCmZ8s3A) [video] +[2018: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse" at BlackHat](https://www.youtube.com/watch?v=L-3eCmZ8s3A) [video] [2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels"](https://arxiv.org/pdf/1802.07062.pdf) [paper] -[2018, Linux Conf AU: "The State of Kernel Self Protection" by Kees Cook](https://outflux.net/slides/2018/lca/kspp.pdf) [slides] +[2018: "The State of Kernel Self Protection" by Kees Cook at Linux Conf AU](https://outflux.net/slides/2018/lca/kspp.pdf) [slides] [2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse"](https://cs.brown.edu/~vpk/papers/krx.eurosys17.pdf) [paper] -[2017, Linux Piter: "How STACKLEAK improves Linux kernel security" by Alexander Popov](https://linuxpiter.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf) [slides] +[2017: "How STACKLEAK improves Linux kernel security" by Alexander Popov at Linux Piter](https://linuxpiter.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf) [slides] -[2017, HitB: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Seunghun%20Han%20-%20Shadow-Box%20-%20The%20Practical%20and%20Omnipotent%20Sandbox.pdf) [slides] +[2017: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han at HitB](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Seunghun%20Han%20-%20Shadow-Box%20-%20The%20Practical%20and%20Omnipotent%20Sandbox.pdf) [slides] [2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [paper] @@ -550,7 +548,7 @@ Pull requests are welcome. [2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems"](https://pdos.csail.mit.edu/papers/chen-kbugs.pdf) [paper] -[2009, Phrack: "Linux Kernel Heap Tampering Detection" by Larry Highsmith](http://phrack.org/archives/issues/66/15.txt) [article] +[2009: "Linux Kernel Heap Tampering Detection" by Larry Highsmith](http://phrack.org/archives/issues/66/15.txt) [article] ## Vulnerability Discovery @@ -563,7 +561,7 @@ Pull requests are welcome. [2020: "Fuzzing the Linux kernel (x86) entry code, Part 3 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-3-of-3) [article] -[2020, Linux Plumbers: "Data-race detection in the Linux kernel" by Marco Elver](https://linuxplumbersconf.org/event/7/contributions/647/attachments/549/972/LPC2020-KCSAN.pdf) [slides] [[video](https://www.youtube.com/watch?v=gJRBmunG47w&t=7141)] +[2020: "Data-race detection in the Linux kernel" by Marco Elver at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/647/attachments/549/972/LPC2020-KCSAN.pdf) [slides] [[video](https://www.youtube.com/watch?v=gJRBmunG47w&t=7141)] [2020: "harbian-qa: State-based target directed fuzzer based on syzkaller"](https://github.com/hardenedlinux/harbian-qa/blob/master/syzkaller/design_inplementation_intro.md) [article] @@ -619,27 +617,27 @@ Marek Majkowski](https://blog.cloudflare.com/a-gentle-introduction-to-linux-kern [2018: "Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking" by Mateusz Jurczyk](https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf) [paper] -[2018, BlackHat: "New Compat Vulnerabilities In Linux Device Drivers"](https://www.blackhat.com/docs/asia-18/asia-18-Ding-New-Compat-Vulnerabilities-In-Linux-Device-Drivers.pdf) [slides] +[2018: "New Compat Vulnerabilities In Linux Device Drivers" at BlackHat](https://www.blackhat.com/docs/asia-18/asia-18-Ding-New-Compat-Vulnerabilities-In-Linux-Device-Drivers.pdf) [slides] [2018: "Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels"](http://www-users.cs.umn.edu/~kjlu/papers/deadline.pdf) [paper] -[2018, OffensiveCon: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] +[2018: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko at OffensiveCon](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] [2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko](https://blog.linuxplumbersconf.org/2017/ocw/system/presentations/4825/original/KMSAN%20presentation%20for%20LPC%202017.pdf) [slides] [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] -[2017, Black Hat USA: "Evolutionary Kernel Fuzzing" by Richard Johnson](https://moflow.org/Presentations/Evolutionary%20Kernel%20Fuzzing-BH2017-rjohnson-FINAL.pdf) [slides] +[2017: "Evolutionary Kernel Fuzzing" by Richard Johnson at Black Hat USA](https://moflow.org/Presentations/Evolutionary%20Kernel%20Fuzzing-BH2017-rjohnson-FINAL.pdf) [slides] [2017: "DIFUZE: Interface Aware Fuzzing for Kernel Drivers"](https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf) [slides] [[paper](https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers-wp.pdf)] -[2017, CCS: "SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits"](https://acmccs.github.io/papers/p2139-youA.pdf) [paper] +[2017: "SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits" at CCS](https://acmccs.github.io/papers/p2139-youA.pdf) [paper] -[2017, USENIX: "kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels"](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf) [paper] +[2017: "kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels" at USENIX](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf) [paper] -[2017, USENIX: "How Double-Fetch Situations turn into DoubleFetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel"](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-wang.pdf) [paper] +[2017: "How Double-Fetch Situations turn into DoubleFetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel" at USENIX](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-wang.pdf) [paper] -[2017, USENIX: "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers"](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-machiry.pdf) [paper] +[2017: "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" at USENIX](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-machiry.pdf) [paper] [2016: "Using Static Checking To Find Security Vulnerabilities In The Linux Kernel" by Vaishali Thakkar](http://events17.linuxfoundation.org/sites/events/files/slides/Using%20static%20checking%20to%20find%20security%20vulnerabilities%20in%20the%20Linux%20Kernel.pdf) [slides] @@ -647,25 +645,25 @@ Marek Majkowski](https://blog.cloudflare.com/a-gentle-introduction-to-linux-kern [2016: "An Analysis on the Impact and Detection of Kernel Stack Infoleaks"](https://www.researchgate.net/publication/298313650_An_Analysis_on_the_Impact_and_Detection_of_Kernel_Stack_Infoleaks) [paper] -[2016, Linux Plumbers: "Syzkaller, Future Developement" by Dmitry Vyukov](https://docs.google.com/presentation/d/1iAuTvzt_xvDzS2misXwlYko_VDvpvCmDevMOq2rXIcA/edit#slide=id.p) [slides] +[2016: "Syzkaller, Future Developement" by Dmitry Vyukov at Linux Plumbers](https://docs.google.com/presentation/d/1iAuTvzt_xvDzS2misXwlYko_VDvpvCmDevMOq2rXIcA/edit#slide=id.p) [slides] [2016: "Coverage-guided kernel fuzzing with syzkaller"](https://lwn.net/Articles/677764/) [article] [2016: "Filesystem Fuzzing with American Fuzzy Lop" by Vegard Nossum and Quentin Casasnovas](https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf) [slides] -[2016, ToorCon: "Project Triforce: AFL + QEMU + kernel = CVEs! (or) How to use AFL to fuzz arbitrary VMs"](https://github.com/nccgroup/TriforceAFL/blob/master/slides/ToorCon16_TriforceAFL.pdf) [slides] +[2016: "Project Triforce: AFL + QEMU + kernel = CVEs! (or) How to use AFL to fuzz arbitrary VMs" at ToorCon](https://github.com/nccgroup/TriforceAFL/blob/master/slides/ToorCon16_TriforceAFL.pdf) [slides] -[2015, LinuxCon North America: "KernelAddressSanitizer (KASan): a fast memory error detector for the Linux kernel" by Andrey Konovalov](http://events.linuxfoundation.org/sites/events/files/slides/LinuxCon%20North%20America%202015%20KernelAddressSanitizer.pdf) [slides] +[2015: "KernelAddressSanitizer (KASan): a fast memory error detector for the Linux kernel" by Andrey Konovalov at LinuxCon North America](http://events.linuxfoundation.org/sites/events/files/slides/LinuxCon%20North%20America%202015%20KernelAddressSanitizer.pdf) [slides] -[2015, DEF CON 23: "Introduction to USB and Fuzzing" by Matt DuHarte](https://www.youtube.com/watch?v=KWOTXypBt4E) [video] +[2015: "Introduction to USB and Fuzzing" by Matt DuHarte at DEF CON](https://www.youtube.com/watch?v=KWOTXypBt4E) [video] -[2015, Black Hat: "Don't Trust Your USB! How to Find Bugs in USB Device Drivers" by Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke](https://www.youtube.com/watch?v=OAbzN8k6Am4) [video] +[2015: "Don't Trust Your USB! How to Find Bugs in USB Device Drivers" by Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke at Black Hat](https://www.youtube.com/watch?v=OAbzN8k6Am4) [video] [2012: "Comprehensive Kernel Instrumentation via Dynamic Binary Translation"](http://www.cs.toronto.edu/~peter/feiner_asplos_2012.pdf) [paper] [2010: "Automatic Bug-finding Techniques for Linux Kernel" by Jiri Slaby](https://www.fi.muni.cz/~xslaby/sklad/teze.pdf) [paper] -[2009, DEF CON 11: "Opensource Kernel Auditing and Exploitation" by Silvio Cesare](https://www.youtube.com/watch?v=sNh2TD6Tf9Q&feature=youtu.be) [video] +[2009: "Opensource Kernel Auditing and Exploitation" by Silvio Cesare at DEF CON](https://www.youtube.com/watch?v=sNh2TD6Tf9Q&feature=youtu.be) [video] ## Fuzzers -- cgit v1.3