Skip to content

Anything about kernel security. CTF kernel pwn, kernel exploit, kernel fuzz and kernel defense paper, kernel debugging technique, kernel CVE debug.

Notifications You must be signed in to change notification settings

bsauce/kernel-security-learning

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Kernel-Security-Learning

Anything about kernel security. CTF kernel pwn & kernel exploit, kernel fuzz and kernel defense paper & kernel debugging technique & kernel CVE debug.

Keep updating...


1. CTF

  1. linux内核漏洞利用初探(1):环境配置
  2. linux内核漏洞利用初探(2):demo-null_dereference
  3. linux内核漏洞利用初探(3):demo-stack_overflow
  4. 【Linux内核漏洞利用】2018强网杯core_栈溢出
  5. 【Linux内核漏洞利用】CISCN2017-babydriver_UAF漏洞
  6. 【Linux内核漏洞利用】0CTF2018-baby-double-fetch
  7. 【Linux内核漏洞利用】强网杯2018-solid_core-任意读写
  8. 【linux内核漏洞利用】StringIPC—从任意读写到权限提升三种方法
  9. 【linux内核漏洞利用】STARCTF 2019 hackme—call_usermodehelper提权路径变量总结
  10. 【linux内核漏洞利用】WCTF 2018 klist—竞争UAF-pipe堆喷
  11. 【linux内核漏洞利用】TokyoWesternsCTF-2019-gnote Double-Fetch
  12. 【linux内核userfaultfd使用】Balsn CTF 2019 - KrazyNote
  13. linux内核提权系列教程(1):堆喷射函数sendmsg与msgsend利用
  14. linux内核提权系列教程(2):任意地址读写到提权的4种方法
  15. linux内核提权系列教程(3):栈变量未初始化漏洞
  16. 【linux内核漏洞利用】ret2dir利用方法
  17. 【内核漏洞利用】绕过CONFIG_SLAB_FREELIST_HARDENED防护—kernoob两种解法
  18. 【Exploit trick】Linux内核中利用msg_msg结构实现任意地址读写
  19. 【Exploit trick】针对 cred 结构的 cross cache 利用(corCTF 2022-cache-of-castaways)
  20. 【Exploit trick】利用poll_list对象构造kmalloc-32任意释放 (corCTF 2022-CoRJail)

2. Paper

(1)kernel exploit

  1. 2014-USENIX:ret2dir: Rethinking Kernel Isolation
  2. 2015-CCS:From collision to exploitation_ Unleashing Use-After-Free vulnerabilities in Linux Kernel
  3. 2016-CCS:Prefetch Side-Channel Attacks - Bypassing SMAP and Kernel ASLR
  4. 2016-CCS:Breaking Kernel Address Space Layout Randomization with Intel TSX
  5. 2017-CCS:SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
  6. 2017-NDSS:Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying — 【note
  7. 2018-USENIX:FUZE-Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities — 【note】【tool-FUZE
  8. 2019-USENIX:KEPLER-Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities — 【note】【tool-KEPLER
  9. 2019-CCS:SLAKE-Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel — 【note】【tool-SLAKE
  10. 2020-USENIX:KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities — 【note】【note2】【tool-KOOBE
  11. 2020-CCS:A Systematic Study of Elastic Objects in Kernel Exploitation — 【note】【note2】【tool-ELOISE
  12. 2020-WOOT:Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
  13. 2021-USENIX:ExpRace: Exploiting Kernel Races through Raising Interrupts — 【note
  14. 2021-CCS:Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization — 【note
  15. 2022-USENIX:SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel — 【toolSyzScope
  16. 2022-USENIX:Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability — 【note
  17. 2022-S&P:GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs — 【note】 【note2】 【reproduce】 【tool-GREBE
  18. 2022-NDSS:Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel — 【note】 【tool-Kasper
  19. 2022-CCS:DirtyCred: Escalating Privilege in Linux Kernel — 【note
  20. 2023-USENIX:PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique — 【note】 【note2
  21. 2023-USENIX:AlphaEXP: An Expert System for Identifying Security-Sensitive Kernel Objects — 【note
  22. 2023-S&P:AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities — 【note
  23. 2023-S&P:When Top-down Meets Bottom-up: Detecting and Exploiting Use-After-Cleanup Bugs in Linux Kernel — 【note】 【note2
  24. 2023-CCS:RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections — 【note】 【tool-RetSpill
  25. 2024-NDSS: SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem - 【note】 【tool-SyzBridge
  26. 2024-NDSS: K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel - 【note】 【tool-K-LEAK
  27. 2024-USENIX:Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation
  28. 2024-USENIX:SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel - 【tool-SLUBStick
  29. 2024-USENIX:SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation

(2)kernel vulerability detection

  1. 2012-OSDI:Improving integer security for systems with KINT
  2. 2014-Black Hat:QSEE TrustZone Kernel Integer Overflow
  3. 2014-USENIX:Static Analysis of Variability in System Software - The 90, 000 #ifdefs Issue
  4. 2014-OSDI:SKI:Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration
  5. 2015-SOSP:Cross-checking semantic correctness: The case of finding file system bugs — 【tool-JUXTA
  6. 2016-USENIX:UniSan-Proactive Kernel Memory Initialization to Eliminate Data Leakages — 【note】【tool-unisan
  7. 2016-USENIX:APISan: Sanitizing API Usages through Semantic Cross-Checking — 【tool-apisan
  8. 2017-EUROSYS:DangSan - Scalable Use-after-free Detection — 【tool-dangsan
  9. 2017-USENIX-ATC:CAB-Fuzz:Practical Concolic Testing Techniques for {COTS} Operating Systems
  10. 2017-CCS:DIFUZE-Interface Aware Fuzzing for Kernel Drivers — 【note】【tool-difuze
  11. 2017-USENIX:Digtool- A Virtualization-Based Framework for Detecting Kernel Vulnerabilities-usenix — 【note】【note2】【note3】【note4
  12. 2017-USENIX:How Double-Fetch Situations turn into DoubleFetch — 【note】【tool
  13. 2017-USENIX:DR. CHECKER- A Soundy Analysis for Linux Kernel Drivers — 【tool-dr_checker
  14. 2017-USENIX:kAFL- Hardware-Assisted Feedback Fuzzing for OS Kernels — 【note】【tool-kAFL
  15. 2018-S&P:DEADLINE-Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels — 【note】【note2】【note3】【tool-DEADLINE
  16. 2018-CCS:Check It Again- Detecting Lacking-Recheck Bugs in OS Kernels — 【note】【note2】【tool-LRSan
  17. 2018-USENIX:MoonShine:Optimizing OS Fuzzer Seed Selection with Trace Distillation — 【note】【note2】【tool-moonshine
  18. 2018-NDSS:K-Miner: Uncovering Memory Corruption in Linux — 【note】【note2】【tool-K-Miner
  19. 2019-S&P:Razzer:Finding Kernel Race Bugs through Fuzzing — 【note】【note2】【note3】【tool-razzer
  20. 2019-WOOT-Workshop:Unicorefuzz- On the Viability of Emulation for Kernelspace Fuzzing — 【tool-unicorefuzz
  21. 2019-FSE:Detecting Concurrency Memory Corruption Vulnerabilities — 【tool-CONVUL
  22. 2019-S&P:Fuzzing File Systems via Two-Dimensional Input Space Exploration — 【note】 【note2】【tool-JANUS
  23. 2019-USENIX:Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences — 【tool-CRIX
  24. 2019-USENIX-ATC:Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers — 【note
  25. 2019-NDSS:PeriScope:An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary — 【note】【tool-periscope
  26. 2018-USENIX-ATC:DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules
  27. 2020-TOCS:Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel
  28. 2020-NDSS:HFL: Hybrid Fuzzing on the Linux Kernel — 【note】【note2】【note3
  29. 2020-S&P:Krace: Data Race Fuzzing for Kernel File Systems — 【note
  30. 2020-USENIX:Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpointspresentation
  31. 2020-USENIX:Muzz: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs — 【note
  32. 2020-CCS:Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection —【note
  33. 2020-FSE:UBITect: A Precise and Scalable Method to Detect Use-Before-Initialization Bugs in Linux Kernel — 【note
  34. 2020-LPC:KCSAN-Data-race detection in the Linux kernel
  35. 2021-NDSSDetecting Kernel Memory Leaks in Specialized Modules With Ownership Reasoning — 【note
  36. 2021-NDSS:KUBO: Precise and Scalable Detection of User-triggerable Undefined Behavior Bugs in OS Kernel — 【note
  37. 2021-USENIX:Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking — 【note
  38. 2021-USENIX:Understanding and Detecting Disordered Error Handling with Precise Function Pairing — 【note
  39. 2021-USENIX:An Analysis of Speculative Type Confusion Vulnerabilities in the Wild
  40. 2021-USENIX:Static Detection of Unsafe DMA Accesses in Device Drivers — 【note
  41. 2021-CCS:Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels — 【note】 【note2
  42. 2021-CCS:Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths — 【note
  43. 2021-SOSP:HEALER: Relation Learning Guided Kernel Fuzzing — 【tool-healer】 【note】 【note2】 【note3
  44. 2021-S&P:A Novel Dynamic Analysis Infrastructure to Instrument Untrusted Execution Flow Across User-Kernel Spaces
  45. 2022-NDSS:An In-depth Analysis of Duplicated Linux Kernel Bug Reports — 【note
  46. 2022-NDSS:Progressive Scrutiny-Incremental Detection of UBI bugs in the Linux Kernel — 【note
  47. 2022-NDSS:Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators — 【note】 【note2
  48. 2022-USENIX:LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution — 【note】 【note2
  49. 2022-USENIX:OS-Aware Vulnerability Prioritization via Differential Severity Analysis
  50. 2023-NDSS:No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions
  51. 2023-USENIX:FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules — 【note
  52. 2023-USENIX:Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness
  53. 2023-USENIX:BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing
  54. 2023-USENIX:ACTOR: Action-Guided Kernel Fuzzing
  55. 2023-USENIX:Uncontained: Uncovering Container Confusion in the Linux Kernel
  56. 2023-USENIX:DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing
  57. 2023-S&P:SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers — 【tool-SyzDescribe
  58. 2023-S&P:Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis
  59. 2023-S&P:SEGFUZZ: Segmentizing Thread Interleaving to Discover Kernel Concurrency Bugs through Fuzzing — 【tool-segfuzz
  60. 2023-CCS:SyzDirect: Directed Greybox Fuzzing for Linux Kernel — 【tool-Syzdirect
  61. 2024-NDSS: MOCK: Optimizing Kernel Fuzzing Mutation with Context-aware Dependency - 【tool-mock
  62. 2024-S&P: To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux' Wireless Stacks through VirtIO Devices - 【tool-Virtfuzz
  63. 2024-S&P: SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzingtool-SyzGen++

(3)kernel defense

  1. 2011-NDSS:Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
  2. 2011-NDSS:SigGraph - Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures
  3. 2011-NDSS:Efficient Monitoring of Untrusted Kernel-Mode Execution
  4. 2012-NDSS:Kruiser - Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
  5. 2012-OSDI:Improving Integer Security for Systems with KINT
  6. 2012-S&P:Smashing the Gadgets - Hindering Return-Oriented Programming Using In-place Code Randomization
  7. 2012-USS:Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
  8. 2013-EUROSYS:Process firewalls - protecting processes during resource access
  9. 2013-NDSS:Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring
  10. 2013-S&P:Just-In-Time Code Reuse - On the Effectiveness of Fine-Grained Address Space Layout Randomization
  11. 2014-CCS:A Tale of Two Kernels - Towards Ending Kernel Hardening Wars with Split Kernel
  12. 2014-NDSS:ROPecker - A Generic and Practical Approach For Defending Against ROP Attacks
  13. 2014-OSDI:Jitk - A Trustworthy In-Kernel Interpreter Infrastructure
  14. 2014-S&P:KCoFI - Complete Control-Flow Integrity for Commodity Operating System Kernels
  15. 2014-S&P:Dancing with Giants - Wimpy Kernels for On-Demand Isolated I/O
  16. 2015-NDSS:Preventing Use-after-free with Dangling Pointers Nullification
  17. 2016-NDSS:Enforcing Kernel Security Invariants with Data Flow Integrity
  18. 2016-OSDI:Light-Weight Contexts - An OS Abstraction for Safety and Performance
  19. 2016-OSDI:EbbRT - A Framework for Building Per-Application Library Operating Systems
  20. 2017-EUROSYS:A Characterization of State Spill in Modern Operating Systems
  21. 2017-EUROSYS:kRˆX: Comprehensive Kernel Protection Against Just-In-Time Code Reuseslides
  22. 2017-NDSS:PT-Rand - Practical Mitigation of Data-only Attacks against Page Tables
  23. 2017-S&P:NORAX - Enabling Execute-Only Memory for COTS Binaries on AArch64
  24. 2017-CCS:FreeGuard - A Faster Secure Heap Allocator
  25. 2017-USENIX:Lock-in-Pop - Securing Privileged Operating System Kernels by Keeping on the Beaten Path
  26. 2017-USENIX:Can’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory
  27. 2017-USENIX:Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers
  28. 2019-S&P:LBM - A Security Framework for Peripherals within the Linux Kernel
  29. 2019-S&P:SoK - Shining Light on Shadow Stacks
  30. 2019-S&P:SoK - Sanitizing for Security
  31. 2019-USENIX:PeX: A Permission Check Analysis Framework for Linux Kernel
  32. 2019-USENIX:ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
  33. 2019-USENIX:LXDs - Towards Isolation of Kernel Subsystems
  34. 2019-USENIX:SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization
  35. 2020-S&P:xMP: Selective Memory Protection for Kernel and User Space
  36. 2020-S&P:SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation — 【note
  37. 2021-USENIX:Undo Workarounds for Kernel Bugs
  38. 2021-USENIX:SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening
  39. 2021-USENIX:Preventing Use-After-Free Attacks with Fast Forward Allocation
  40. 2022-NDSS:Preventing Kernel Hacks with HAKCs
  41. 2022-USENIX:Midas: Systematic Kernel TOCTTOU Protection
  42. 2023-S&P:EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation
  43. 2023-S&P:uSwitch: Fast Kernel Context Isolation with Implicit Context Switches
  44. 2023-USENIX:PET: Prevent Discovered Errors from Being Triggered in the Linux Kernel
  45. 2023-USENIX:A Hybrid Alias Analysis and Its Application to Global Variable Protection in the Linux Kernel
  46. 2024-USENIX:SeaK: Rethinking the Design of a Secure Allocator for OS Kernel

other resources:

  1. security things in every version of Linux mainline
  2. PaX code analysis
  3. A Decade of Linux Kernel Vulnerabilities, their Mitigation and Open Problems-2017
  4. 10_years_of_linux_security_by_grsecurity_2020—— security mechanism timeline
  5. linux-kernel-defence-map
  6. linux_mitigations
  7. The State of Kernel Self Protection-2018

(4) Android

  1. 2020-USEINX:Automatic Hot Patch Generation for Android Kernels—自动给安卓打补丁 【note

3. CVE

  1. Linux kernel 4.20 BPF 整数溢出漏洞分析
  2. 【kernel exploit】CVE-2016-9793 错误处理负值导致访问用户空间
  3. 【kernel exploit】CVE-2017-5123 null任意地址写漏洞
  4. 【CVE-2017-7184】Linux xfrm模块越界读写提权漏洞分析
  5. 【kernel exploit】CVE-2017-6074 DCCP拥塞控制协议Double-Free提权分析
  6. 【kernel exploit】CVE-2017-7308 AF_PACKET 环形缓冲区溢出漏洞
  7. 【kernel exploit】CVE-2017-8890 Phoenix Talon漏洞分析与利用
  8. 【kernel exploit】CVE-2017-11176 竞态Double-Free漏洞调试
  9. 【CVE-2017-16995】Linux ebpf模块整数扩展问题导致提权漏洞分析
  10. 【kernel exploit】CVE-2017-1000112 UDP报文处理不一致导致堆溢出
  11. 【kernel exploit】CVE-2018-5333 空指针引用漏洞
  12. 【kernel exploit】CVE-2019-8956 sctp_sendmsg()空指针引用漏洞
  13. 【kernel exploit】CVE-2019-9213 逻辑漏洞绕过 mmap_min_addr 限制
  14. 【kernel exploit】CVE-2019-15666 xfrm UAF 8字节写NULL提权分析
  15. 【kernel exploit】CVE-2020-8835:eBPF verifier 错误处理导致越界读写
  16. 【kernel exploit】BPF漏洞挖掘与CVE-2020-27194 整数溢出漏洞
  17. 【kernel exploit】CVE-2021-3156 sudo漏洞分析与利用
  18. 【kernel exploit】CVE-2021-26708 四字节写特殊竞争UAF转化为内核任意读写
  19. 【kernel exploit】CVE-2021-31440 eBPF边界计算错误漏洞
  20. 【kernel exploit】CVE-2021-3490 eBPF 32位边界计算错误漏洞
  21. 【kernel exploit】CVE-2021-22555 2字节堆溢出写0漏洞提权分析
  22. 【kernel exploit】CVE-2021-41073 内核类型混淆漏洞利用分析
  23. 【kernel exploit】CVE-2021-4154 错误释放任意file对象-DirtyCred利用
  24. 【kernel exploit】CVE-2021-42008 6pack协议解码溢出漏洞利用
  25. 【kernel exploit】CVE-2021-43267 TIPC协议MSG_CRYPTO消息溢出利用
  26. 【kernel exploit】CVE-2022-0847 Dirty Pipe 漏洞分析与利用
  27. 【kernel exploit】CVE-2022-0185 File System Context 整数溢出漏洞利用
  28. 【kernel exploit】CVE-2022-0995 堆溢出1比特置1漏洞利用
  29. 【kernel exploit】CVE-2022-1015 nftables 栈溢出漏洞分析与利用
  30. 【kernel exploit】CVE-2022-2588 Double-free 漏洞 DirtyCred 利用
  31. 【kernel exploit】CVE-2022-2602 UNIX_GC错误释放io_uring注册的file结构-UAF
  32. 【kernel exploit】CVE-2022-2639 openvswitch模块kmalloc-0x10000堆溢出利用(pipe_buffer任意文件写技术)
  33. 【kernel exploit】CVE-2022-25636 nftables OOB写堆指针漏洞利用
  34. 从 PWN2OWN CVE-2022-27666 看内核页风水
  35. 【kernel exploit】CVE-2022-32250 nftables错误链表操作导致UAF写的漏洞利用
  36. 【kernel exploit】CVE-2022-34918 nftable堆溢出漏洞利用(list_head任意写)
  37. 【kernel exploit】CVE-2023-2598 io_uring物理内存越界读写(伪造sock对象)
  38. 【kernel exploit】CVE-2024-1086 nftables UAF漏洞-Dirty Pagedirectory利用方法

4. Exploitation Techniques

  1. Dirty Pagetable-一种新的内核漏洞利用技术

5. Tool

  1. syzkaller 源码阅读笔记1(syz-extract & syz-sysgen)
  2. syzkaller 源码阅读笔记2(syz-manager)
  3. syzkaller 源码阅读笔记3(syz-fuzzer)

6. Debug & other techniques

  1. linux双机调试
  2. linux内核漏洞利用初探(1):环境配置
  3. 【linux内核调试】SystemTap使用技巧
  4. 【linux内核调试】使用Ftrace来Hook linux内核函数
  5. 【linux内核调试】ftrace/kprobes/SystemTap内核调试方法对比
  6. 【KVM】KVM学习—实现自己的内核

Reference:

linux-security-papers

linux-kernel-exploitation

GoSSIP_Software Security Group

About

Anything about kernel security. CTF kernel pwn, kernel exploit, kernel fuzz and kernel defense paper, kernel debugging technique, kernel CVE debug.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published