From 3e74a5ab4f2ffc560f4c1856b7f604ce84f6ae5c Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Fri, 1 Mar 2024 19:53:18 +0100 Subject: January/February updates --- README.md | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 84da56f..ce1fb3d 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2024: "K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel"](https://www.ndss-symposium.org/wp-content/uploads/2024-935-paper.pdf) [paper] + +[2024: "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"](https://arxiv.org/pdf/2401.17618.pdf) [paper] + +[2023: "No Tux Given: Diving Into Contemporary Linux Kernel Exploitation" by sam4k](https://sam4k.com/content/files/2024/01/no_tux_given.pdf) [slides] + +[2023: "Linux Kernel Exploitation series" by santaclz](https://santaclz.github.io/2023/11/03/Linux-Kernel-Exploitation-Getting-started-and-BOF.html) [article] [[part2](https://santaclz.github.io/2024/01/20/Linux-Kernel-Exploitation-Heap-techniques.html)] [[part 3](https://santaclz.github.io/2024/01/29/Linux-Kernel-Exploitation-exploiting-race-condition-and-UAF.html)] + [2023: "RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections"](https://kylebot.net/papers/retspill.pdf) [paper] [2023: "Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup"](https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606) [article] @@ -384,7 +392,9 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE -[2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598"](https://anatomic.rip/cve-2023-2598/) [article] [CVE-2023-2598] +[2023: "Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)" by Nassim Asrir](https://github.com/Nassim-Asrir/ZDI-24-020/) [CVE-2023-6546] + +[2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598"](https://anatomic.rip/cve-2023-2598/) [article] [[exploit](https://github.com/ysanatomic/io_uring_LPE-CVE-2023-2598)] [CVE-2023-2598] [2023: "Conquering a Use-After-Free in nf_tables: Detailed Analysis and Exploitation of CVE-2022-32250" by Yordan Stoychev](https://anatomic.rip/cve-2022-32250/) [article] [CVE-2022-32250] @@ -846,6 +856,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2024: "PowerVR GPU - GPU Firmware may overwrite arbitrary kernel pages by RGXCreateFreeList"](https://bugs.chromium.org/p/apvi/issues/detail?id=140) [report] + +[2024: "PowerVR GPU - UAF race conditon by DevmemIntPFNotify and DevmemIntCtxRelease"](https://bugs.chromium.org/p/apvi/issues/detail?id=141) [report] + [2023: "Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt" by Jean-Baptiste Cayrou](https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf) [slides] [CVE-2023-2612] [2023: "Attacking NPUs of Multiple Platforms"](https://i.blackhat.com/EU-23/Presentations/EU-23-Zhang-Attacking-NPUs-of-Multiple-Platforms.pdf) [slides] [CVE-2022-22265] [CVE-2020-28343] [SVE-2021-20204] [CVE-2023-42483] [CVE-2023-45864] @@ -919,6 +933,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2024: "SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem"](https://zhyfeng.github.io/files/2024-NDSS-SyzBridge.pdf) [paper] + +[2024: "SyzRetrospector: A Large-Scale Retrospective Study of Syzbot"](https://arxiv.org/pdf/2401.11642.pdf) [paper] + +[2023: "KernelGPT: Enhanced Kernel Fuzzing via Large Language Models"](https://arxiv.org/pdf/2401.00563.pdf) [paper] + [2023: "SyzDirect: Directed Greybox Fuzzing for Linux Kernel"](https://yuanxzhang.github.io/paper/syzdirect-ccs23.pdf) [paper] [2023: "Using ASAN and KASAN and then Interpreting their shadow memory reports" by Kaiwan N Billimoria](https://kernelmeetup.files.wordpress.com/2023/11/lt_1_using_asan_and_kasan_and_then_interpreting_their_shadow_memory_repo.pdf) [article] @@ -1571,6 +1591,8 @@ https://github.com/heki-linux https://github.com/oswalpalash/linux-kernel-regression-tests +https://github.com/google/security-research/blob/master/analysis/kernel/heap-exploitation/README.md [CodeQL] [[dashboard](https://lookerstudio.google.com/reporting/68b02863-4f5c-4d85-b3c1-992af89c855c/page/n92nD)] + ## Practice @@ -1580,7 +1602,7 @@ https://github.com/oswalpalash/linux-kernel-regression-tests [2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop] -[2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop] +[2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop] [[video](https://www.youtube.com/watch?v=8ySHpVCYcbk)] ### CTF Tasks @@ -1772,6 +1794,10 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2024: "Linux is a CNA" by Greg Kroah-Hartman](http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/) [article] + +[2024: "An Investigation of Patch Porting Practices of the Linux Kernel Ecosystem"](https://arxiv.org/pdf/2402.05212.pdf) [paper] + [2023: "Syzbot: 7 years of continuous kernel fuzzing" by Aleksandr Nogikh](https://lpc.events/event/17/contributions/1521/attachments/1272/2698/LPC'23_%20Syzbot_%207%20years%20of%20continuous%20kernel%20fuzzing.pdf) [slides] [[video](https://www.youtube.com/watch?v=sDMNEBoTtrI)] [2023: "Operating system security: how to get into the subject" by Alexander Popov](https://www.youtube.com/watch?v=pq-0JKKNZVQ) [video] @@ -1808,6 +1834,8 @@ https://github.com/0xor0ne/awesome-list/ [grsecurity CVE-Dataset](https://docs.google.com/spreadsheets/u/0/d/1JO43UfT7Vjun9ytSWNdI17xmnzZMg19Tii-rKw94Rvw/htmlview#gid=0) [spreadsheet] +[Syzkaller Coverage Dashboard](https://lookerstudio.google.com/reporting/41ae4a20-9826-4f7f-be14-a934a04686fe/page/4EOpD) + https://github.com/nccgroup/exploit_mitigations https://github.com/bsauce/kernel-security-learning -- cgit v1.3