From bf13e7ec833b4f296d13ff474def1abf8e3867ef Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Sat, 15 Jan 2022 00:24:10 +0300
Subject: November/December updates

And a couple of January ones too.
---
 README.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 2 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 3c47ae6..58ba914 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 ### Exploitation
 
+[2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX](https://www.usenix.org/system/files/sec21-lee-yoochan.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_lee_yoochan.pdf)] [[video](https://www.youtube.com/watch?v=CIHRw5YPr9o)]
+
 [2021: "Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"](https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html) [article] [[part2](https://syst3mfailure.io/wall-of-perdition)]
 
 [2021: "Linux Kernel Exploitation Technique: Overwriting modprobe_path"](https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/) [article]
@@ -174,6 +176,10 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 ## Protection Bypasses
 
+[2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen](https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Chen-A-General-Approach-To-Bypassing-Many-Kernel-Protections-And-Its-Mitigation.pdf) [slides] [[video](https://www.youtube.com/watch?v=EIwEF3tCtg4)]
+
+[2021: "Attacking Samsung RKP" by Alexandre Adamski](https://blog.impalabs.com/2111_attacking-samsung-rkp.html) [article]
+
 [2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video]
 
 [2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article]
@@ -261,6 +267,16 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 ### LPE
 
+[2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008]
+
+[2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit"](https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf) [article] [CVE-TBD]
+
+[2021: "Reversing and Exploiting Samsung's NPU" by Maxime Peterlin](https://blog.impalabs.com/2103_reversing-samsung-npu.html) [article] [[part 2](https://blog.impalabs.com/2110_exploiting-samsung-npu.html)] [slides](https://github.com/Impalabs/conferences/blob/master/2021-barbhack21/21-Barbhack21-Reversing_and_Exploiting_Samsungs_Neural_Processing_Unit.pdf)
+
+[2021: "Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver" by Man Yue Mo](https://securitylab.github.com/research/qualcomm_npu/) [article] [CVE-2021-1940, CVE-2021-1968, CVE-2021-1969]
+
+[2021: "Exploiting CVE-2021-43267" by Blasty](https://haxx.in/posts/pwning-tipc/) [article] [CVE-2021-43267]
+
 [2021: "How a simple Linux kernel memory corruption bug can lead to complete system compromise" by Jann Horn](https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html) [article] [CVE-TBD]
 
 [2021: "SuDump: Exploiting suid binaries through the kernel" by Itai Greenhut](https://alephsecurity.com/2021/10/20/sudump/) [article] [CVE-TBD]
@@ -269,7 +285,7 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 [2021: "Kernel Pwning with eBPF: a Love Story" by Valentina Palmiotti](https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story) [article] [CVE-2021-3490]
 
-[2021: "The Art of Exploiting UAF by Ret2bpf in Android Kernel" by Xingyu Jin and Richard Neal](https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf) [slides] [CVE-2021-0399]
+[2021: "The Art of Exploiting UAF by Ret2bpf in Android Kernel" by Xingyu Jin and Richard Neal](https://i.blackhat.com/EU-21/Wednesday/EU-21-Jin-The-Art-of-Exploiting-UAF-by-Ret2bpf-in-Android-Kernel-wp.pdf) [article] [[slides](https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf)] [[video](https://www.youtube.com/watch?v=7UXtirV1Vzg)] [CVE-2021-0399]
 
 [2021: "Internal of the Android kernel backdoor vulnerability"](https://vul.360.net/archives/263) [article] [CVE-2021-28663]
 
@@ -353,6 +369,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 [2020: "Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices" by Tamir Zahavi-Brunner](https://blog.zimperium.com/multiple-kernel-vulnerabilities-affecting-all-qualcomm-devices/) [article] [CVE-2019-14040, CVE-2019-14041]
 
+[2019: "CVE-2017-16995 Analysis - eBPF Sign Extension LPE" by senyuuri](https://blog.senyuuri.info/2019/01/19/kernel-epbf-sign-extension/) [article] [CVE-2017-16995]
+
 [2019: "Kernel Research / mmap handler exploitation" by deshal3v](https://deshal3v.github.io/blog/kernel-research/mmap_exploitation)[article] [CVE-2019-18675]
 
 [2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) [article] [CVE-2019-2215]
@@ -563,6 +581,14 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 ### Other
 
+[2022: "CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers" by Max Van Amernngen](https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/) [article] [CVE-2021-45608]
+
+[2021: "CVE-2021-1048: refcount increment on mid-destruction file" by Jann Horn](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1048.html) [article] [CVE-2021-1048]
+
+[2021: "Achieving Linux Kernel Code Execution Through a Malicious USB Device" by Martijn Bogaard and Dana Geist](https://i.blackhat.com/EU-21/Thursday/EU-21-Bogaard-Geist-Achieving-Linux-Kernel-Code-Execution-Through-A-Malicious-USB-Device.pdf) [slides] [CVE-2016-2384]
+
+[2021: "SLUB overflow CVE-2021-42327"](https://docfate111.github.io/blog/securityresearch/2021/11/08/SLUBoverflow.html) [article] [CVE-2021-42327]
+
 [2021: "CVE-2021-44733: Fuzzing and exploitation of a use-after-free in the Linux kernel TEE subsystem" by pjlantz](https://github.com/pjlantz/optee-qemu) [article] [[poc](https://github.com/pjlantz/optee_examples/tree/master/exploit/host)] [CVE-2021-44733]
 
 [2021: "CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution" by Max Van Amerongen](https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/) [article] [CVE-2021-43267]
@@ -602,13 +628,25 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 ## Finding Bugs
 
+[2021: "LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution" at USENIX](https://www.usenix.org/system/files/sec22summer_liu-jian.pdf) [paper]
+
+[2021: "An Analysis of Speculative Type Confusion Vulnerabilities in the Wild" at USENIX](https://www.usenix.org/system/files/sec21-kirzner.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_kirzner.pdf)] [[video](https://www.youtube.com/watch?v=Gxv6LcabKrg)]
+
+[2021: "SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning" at USENIX](https://www.usenix.org/system/files/sec21-wang-daimeng.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_wang-daimeng.pdf)] [[video](https://www.youtube.com/watch?v=72Ngu3305TU)]
+
+[2021: "Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking" at USENIX](https://www.usenix.org/system/files/sec21-tan.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_tan.pdf)] [[video](https://www.youtube.com/watch?v=tUzeuJTzpx4)]
+
+[2021: "Ruffling the penguin! How to fuzz the Linux kernel" by Andrey Konovalov and xakep.ru](https://hackmag.com/security/linux-fuzzing/) [article]
+
+[2021: "CoLaFUZE: Coverage-Guided and Layout-Aware Fuzzing for Android Drivers"](https://www.jstage.jst.go.jp/article/transinf/E104.D/11/E104.D_2021NGP0005/_pdf) [paper]
+
 [2021: "CVEHound: Audit Kernel Sources for Missing CVE Fixes" by Denis Efremov](https://speakerdeck.com/efremov/cvehound-audit-kernel-sources-for-missing-cve-fixes) [slides] [[video](https://www.youtube.com/watch?v=jIDnVeZNUA8)]
 
 [2021: "Finding Multiple Bug Effects for More Precise Exploitability Estimation" by Zhenpeng Lin and Yueqi Chen](https://static.sched.com/hosted_files/lssna2021/5a/LSS_2021_Multiple_Error_Behavior.pdf) [slides] [[video](https://www.youtube.com/watch?v=J3frKpcJ9vg)]
 
 [2021: "Triaging Kernel Out-Of-Bounds Write Vulnerabilities" by Weiteng Chen](https://static.sched.com/hosted_files/lssna2021/07/koobe-LSS.pdf) [slides] [[video](https://www.youtube.com/watch?v=YUHy58hyDq0)]
 
-[2021: "SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs" by Xiaochen Zou](https://static.sched.com/hosted_files/lssna2021/55/SyzScope%20in%20Linux%20Security%20Summit.pdf) [slides] [[video](https://www.youtube.com/watch?v=MJbqeo5qtQ0)] [[lwn article](https://lwn.net/Articles/872649/)]
+[2021: "SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs" by Xiaochen Zou](https://etenal.me/wp-content/uploads/2021/10/SyzScope-final.pdf) [paper] [[slides](https://static.sched.com/hosted_files/lssna2021/55/SyzScope%20in%20Linux%20Security%20Summit.pdf)] [[video](https://www.youtube.com/watch?v=MJbqeo5qtQ0)] [[lwn article](https://lwn.net/Articles/872649/)]
 
 [2021: "HEALER: Relation Learning Guided Kernel Fuzzing"](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/healer-sosp21.pdf) [paper]
 
@@ -632,6 +670,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 [2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov](https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf) [slides] [[video](https://www.youtube.com/watch?v=ufcyOkgFZ2Q)]
 
+[2020: "Fuzzing a Pixel 3a Kernel with Syzkaller" by senyuuri](https://blog.senyuuri.info/2020/04/16/fuzzing-a-pixel-3a-kernel-with-syzkaller/) [article]
+
 [2020: "Fuzzing the Berkeley Packet Filter" by Benjamin Curt Nilsen](https://search.proquest.com/openview/feeeac2f4c7f767740986bdbf9d51785/1?pq-origsite=gscholar&cbl=44156) [thesis]
 
 [2020: "syzkaller: Adventures in Continuous Coverage-guided Kernel Fuzzing" by Dmitry Vyukov at BlueHat IL](https://docs.google.com/presentation/d/e/2PACX-1vRWjOOL45BclKsCPMzdWmvH12hu-Ld1cU5MbB1tqcBhjVIr1M_qxZRE-ObKcVmqpCyqRAO62Sxm0_aW/pub?start=false&loop=false&delayms=3000&slide=id.p) [[video](https://www.youtube.com/watch?v=YwX4UyXnhz0)]
@@ -773,6 +813,14 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 
 [2021: "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" by Andrey Konovalov](https://docs.google.com/presentation/d/1IpICtHR1T3oHka858cx1dSNRu2XcT79-RCRPgzCuiRk/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=UwMt0e_dC_Q)]
 
+[2021: "Midas: Systematic Kernel TOCTTOU Protection" at USENIX](https://www.usenix.org/system/files/sec22summer_bhattacharyya.pdf) [paper]
+
+[2021: "Undo Workarounds for Kernel Bugs" at USENIX](https://www.usenix.org/system/files/sec21-talebi.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_talebi.pdf)] [[video](https://www.youtube.com/watch?v=4QwMMCjAll8)]
+
+[2021: "SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening" at USENIX](https://www.usenix.org/system/files/sec21-abubakar.pdf) [[slides](https://www.usenix.org/system/files/sec21_slides_abubakar.pdf)] [[video](https://www.youtube.com/watch?v=ts3MQPTtFkg)]
+
+[2021: "Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism"](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9502080) [paper]
+
 [2021: "Hardware-Assisted Fine-Grained Control-Flow Integrity: Adding Lasers to Intel's CET/IBT" by Joao Moreira](https://static.sched.com/hosted_files/lssna2021/8f/LSS_FINEIBT_JOAOMOREIRA.pdf) [slides] [[video](https://www.youtube.com/watch?v=FzGIM1218Ok)]
 
 [2021: "Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2021/lss/kspp.pdf) [slides] [[video](https://www.youtube.com/watch?v=-Binxid8t_8)]
@@ -1001,6 +1049,8 @@ https://github.com/IntelLabs/kAFL/
 
 https://github.com/snorez/ebpf-fuzzer
 
+https://github.com/SmoothHacker/LateRegistration
+
 
 ### Assorted
 
@@ -1042,11 +1092,17 @@ https://github.com/duasynt/gdb_scripts/
 
 https://github.com/evdenis/cvehound
 
+https://github.com/redplait/lkcd
+
+https://github.com/Kyle-Kyle/pwning-toolset/blob/main/linux-kernel/fgkaslr_gadgets.py
+
 
 ## Practice
 
 ### Workshops
 
+[2021: "Linux kernel exploit development"](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development) [workshop]
+
 [2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop]
 
 [2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop]
@@ -1060,6 +1116,8 @@ https://github.com/evdenis/cvehound
 
 [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs)
 
+VULNCON CTF 2021 (IPS): [writeup](https://kileak.github.io/ctf/2021/vulncon-ips/), [writeup 2](https://blog.kylebot.net/2022/01/10/VULNCON-2021-IPS/)
+
 N1 CTF 2021 (baby-guess): [source](https://github.com/sajjadium/ctf-archives/tree/main/N1CTF/2021/pwn/baby_guess), [writeup](https://kileak.github.io/ctf/2021/n1ctf21-babyguess/)
 
 Balsn CTF 2021 (futex): [source](https://github.com/sajjadium/ctf-archives/tree/main/Balsn/2021/pwn/futex), [writeup](https://gist.github.com/st424204/e6395bdbed43b1bf308a4de2ba9d6ba0)
@@ -1200,6 +1258,10 @@ https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting
 
 ## Misc
 
+[2022: "Automated RE of Kernel Configurations" by zznop](https://zznop.com/2022/01/02/automated-re-of-kernel-build-configs/) [article]
+
+[2021: "An Investigation of the Android Kernel Patch Ecosystem" at USENIX](https://www.usenix.org/system/files/sec21-zhang-zheng.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_zhang-zheng.pdf)] [[video](https://www.youtube.com/watch?v=sx2unUrsQhc)]
+
 [2021: "The Complicated History of a Simple Linux Kernel API"](https://www.grsecurity.net/complicated_history_simple_linux_kernel_api) [article]
 
 [2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit"](https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf) [paper]
-- 
cgit v1.3