From 01cbfb0259142da12cd83f407ae5f0f6abdfc74b Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Sun, 30 Aug 2020 16:51:04 +0200 Subject: Summer updates --- README.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) (limited to 'README.md') diff --git a/README.md b/README.md index 111a091..48a2c52 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,8 @@ Pull requests are welcome. ## Exploitation Techniques +[2020: "Structures that can be used with Kernel Exploit"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] + [2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article] [2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] @@ -159,6 +161,8 @@ Pull requests are welcome. ### LPE +[2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)] + [2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041] [2020, THCON: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou](https://www.synacktiv.com/ressources/thcon2020_binder.pdf) [slides, CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041] @@ -414,6 +418,10 @@ Pull requests are welcome. ## Protection Bypass Techniques +[2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article] + +[2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper] + [2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html) [article] [2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/04/an-analysis-of-linux-kernel-heap.html) [article] @@ -457,6 +465,16 @@ Pull requests are welcome. ## Defensive +[2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides] + +[2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] + +[2020, Linux Plumbers: "Following the Linux Kernel Defence Map" by Alexander Popov](https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf) [slides] [[video](https://www.youtube.com/watch?v=4c01jjbQmBc&t=8555)] + +[2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov](https://docs.google.com/presentation/d/10V_msbtEap9dNerKvTrRAzvfzYdrQFC8e2NYHCZYJDE/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=f-Rm7JFsJGI)] + +[2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler](https://grsecurity.net/10_years_of_linux_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=F_Kza6fdkSU)] + [2020, linux.conf.au: "Control Flow Integrity in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2020/lca/cfi.pdf) [slides] [[video](https://www.youtube.com/watch?v=0Bj6W7qrOOI)] [2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel"](https://arxiv.org/pdf/1912.04145v1.pdf) [paper] @@ -538,6 +556,26 @@ Pull requests are welcome. ## Vulnerability Discovery +[2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-1-of-3) [article] + +[2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-2-of-3) [article] + +[2020: "Fuzzing the Linux kernel (x86) entry code, Part 3 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-3-of-3) [article] + +[2020, Linux Plumbers: "Data-race detection in the Linux kernel" by Marco Elver](https://linuxplumbersconf.org/event/7/contributions/647/attachments/549/972/LPC2020-KCSAN.pdf) [slides] [[video](https://www.youtube.com/watch?v=gJRBmunG47w&t=7141)] + +[2020: "harbian-qa: State-based target directed fuzzer based on syzkaller"](https://github.com/hardenedlinux/harbian-qa/blob/master/syzkaller/design_inplementation_intro.md) [article] + +[2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints"](https://www.usenix.org/system/files/sec20-song.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec20_slides_song.pdf)] + +[2020: "Using syzkaller, part 1: Fuzzing the Linux kernel" by Andre Almeida](https://www.collabora.com/news-and-blog/blog/2020/03/26/syzkaller-fuzzing-the-kernel/) [article] + +[2020: "Using syzkaller, part 2: Detecting programming bugs in the Linux kernel" by Andre Almeida](https://www.collabora.com/news-and-blog/blog/2020/04/17/using-syzkaller-to-detect-programming-bugs-in-linux/) [article] + +[2020: "Using syzkaller, part 3: Fuzzing your changes" by Andre Almeida](https://www.collabora.com/news-and-blog/blog/2020/05/12/using-syzkaller-fuzzing-your-changes/) [article] + +[2020: "Using syzkaller, part 4: Driver fuzzing" by Andre Almeida](https://www.collabora.com/news-and-blog/blog/2020/06/26/using-syzkaller-part-4-driver-fuzzing/) [article] + [2020: "HFL: Hybrid Fuzzing on the Linux Kernel"](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24018.pdf) [paper] [2020: "Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel"](https://dl.acm.org/doi/pdf/10.1145/3381990) [paper] @@ -552,6 +590,8 @@ Pull requests are welcome. [2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE"](https://blog.grimm-co.com/post/analyzing-the-linux-kernel-in-userland-with-afl-and-klee/) [article] +[2019: "Industry Practice of Coverage-Guided Enterprise Linux Kernel Fuzzing"](http://wingtecher.com/themes/WingTecherResearch/assets/papers/fse19-linux-kernel.pdf) [paper] + [2019: "Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers"](https://hal.inria.fr/hal-02182516/document) [paper] [2019: "A gentle introduction to Linux Kernel fuzzing" by @@ -735,6 +775,8 @@ https://github.com/bluefrostsecurity/CVE-2020-0041/ https://github.com/chompie1337/s8_2019_2215_poc/ +https://github.com/c3r34lk1ll3r/CVE-2017-5123 + ## Tools @@ -774,6 +816,10 @@ https://github.com/mephi42/ida-kallsyms/ [[ KASLD ] Kernel Address Space Layout Derandomization](https://github.com/bcoles/kasld) +https://github.com/IntelLabs/kAFL/ + +https://github.com/securesystemslab/agamotto + ## CTF Tasks CSAW CTF 2010: [writeup](https://jon.oberheide.org/blog/2010/11/02/csaw-ctf-kernel-exploitation-challenge/), [source](https://jon.oberheide.org/files/csaw.c), [source and exploit](https://github.com/0x3f97/pwn/tree/master/kernel/csaw-ctf-2010-kernel-exploitation-challenge) @@ -838,6 +884,8 @@ DEF CON CTF Qualifier 2020 (keml): [source](https://github.com/o-o-overflow/dc20 DEF CON CTF Qualifier 2020 (fungez): [source](https://github.com/o-o-overflow/dc2020q-fungez-public), [exploit and writeup](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/fungez) +ASIS CTF 2020 (Shared House): [writeup](https://ptr-yudai.hatenablog.com/entry/2020/07/06/000622#354pts-Shared-House-7-solves) + ## Misc -- cgit v1.3