Andrey Konovalov @andreyknvl Twitter profile

Pinned Tweet

Andrey Konovalov

2 months

Please hit me up if you want a 15% discount voucher for the Exploiting the Linux Kernel training session at RomHack in September. I have a few, valid only until the end of this week.

Cyber Saiyan / RomHack Conference, Training, Camp

@cybersaiyanIT

2 months

🎓🎓 #RomHack2024 #Training 🎓🎓 Early Bird –> 10% discount We rely on our community to make #RomHack2024 bigger and better! Register Now: #CyberSecurityExperts #LearnFromTheBest #CyberSecurityTraining

0

4

9

1

7

19

Last Seen Profiles

@biljanicaaa

@kjeachu

@banana_child

@Jane4UsGirls

@cathsdiary___

@gswchris

@agerediscord

@stw_pdg

@ElectronixPurge

@UmezawaBenrishi

@dralmosa

@sprudlers

@atiselsts_eth

@AscendEX_zh

@KyleDeckelbaum

@hegartymaths

@niclasernst

@GdShodai

@nakadori

@moonmistblue

@Parisadafi

@rycpt

@stessieT

@iamdunoutere

@gwlauren

@AnhSketch

@sushifur

@GovernodoMT

@Sephiblack

@dachshundwizard

@Lonewolf_Kye

@LivingArabic

@1039WLPO

@Kenthedivine

@brenandaking_

@yubaobb888

Andrey Konovalov

@andreyknvl

2 years

WTF, @github is planning to ban me. No idea why. Hosting proof-of-concept code? Having given talks at Russian conferences? Holding a Russian passport (even though I've been a German resident for last 6 years)? No meaningful explanation given. Any good decentralized githubs yet?

78

163

907

Andrey Konovalov

@andreyknvl

2 years

Wrote an article about #fuzzing the Linux kernel network stack externally with #syzkaller . The article covers: 🧰 Introduction to syzkaller 💉 Using TUN/TAP for packet injection 👽 Integrating TUN/TAP via pseudo-syscalls 🏆 Showcases of found bugs

🔍 Looking for Remote Code Execution bugs in the Linux kernel

Using syzkaller to fuzz the Linux kernel network stack externally

xairy.io

5

254

701

Andrey Konovalov

@andreyknvl

3 months

Wrote an article about turning a ThinkPad X1 Carbon 6th Gen laptop into a programmable USB device by enabling the xDCI controller 😯 Now I can emulate USB devices from the laptop without external hardware, including via Raw Gadget or even Facedancer 😁

🤫 Unlocking secret ThinkPad functionality for emulating USB devices

Enabling and using xDCI controller on ThinkPad X1 Carbon 6th Gen

xairy.io

7

189

627

Andrey Konovalov

@andreyknvl

7 years

Linux kernel local root exploit for CVE-2017-1000112

2

364

516

Andrey Konovalov

@andreyknvl

3 years

Memory tagging is coming to kill all of your favorite Linux kernel exploits. I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in chat to answer questions.

7

120

519

Andrey Konovalov

@andreyknvl

5 years

Slides for my "Coverage-guided USB Fuzzing with Syzkaller" talk @offensive_con

2019, OffensiveCon: Coverage-Guided USB Fuzzing with Syzkaller

Coverage-Guided USB Fuzzing with Syzkaller Andrey Konovalov OffensiveCon February 15th 2019

docs.google.com

3

142

321

Andrey Konovalov

@andreyknvl

2 years

Slides for "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools", the talk I just gave at Linux Security Summit Europe 2022. Covers: 🐧 Generic KASAN implementation 🔥 Other Sanitizers 🗡 Extending KASAN and KMSAN to find more bugs

8

75

272

Andrey Konovalov

@andreyknvl

5 years

A set of Linux binary exploitation tasks for beginners for various architectures (x86, x86-64, arm, arm64, mips, mips64, ppc, ppc64, sparc64 on the way):

GitHub - xairy/easy-linux-pwn: A set of Linux binary exploitation tasks for beginners on various...

A set of Linux binary exploitation tasks for beginners on various architectures - xairy/easy-linux-pwn

github.com

1

127

266

Andrey Konovalov

@andreyknvl

5 years

A Linux kernel CTF task that relies on a double-fetch/data-race introduced by the compiler for exploitation:

TokyoWesterns CTF 2019 - gnote

I found this challenge from TokyoWesterns CTF to be especially interesting and refreshing. The format is that of a standard Linux kernel challenge: we are provided with a kernel image, filesystem,...

rpis.ec

4

100

263

Andrey Konovalov

@andreyknvl

7 years

Proof-of-Concept local root exploit for the double-free in Linux kernel DCCP implementation (CVE-2017-6074):

3

242

250

Andrey Konovalov

@andreyknvl

2 years

This is the first Linux-kernel-host-code-execution-over-USB exploit known to me. Awesome job! @jmartijnb @geistdana

Linux Kernel Security

@linkersec

2 years

Achieving Linux Kernel Code Execution Through a Malicious USB Device; by Martijn Bogaard @jmartijnb and Dana Geist @geistdana Slides:

3

124

315

4

55

236

Andrey Konovalov

@andreyknvl

2 years

If anyone who's around in Paris for @hexacon_fr wants to acquire a USB-Cereal adapter — hit me up. This adapter is a convenient replacement for the Android Debug Cable. Essentially splits the USB port into two: one with UART with kernel logs, the other is a pass-through for ADB.

6

39

222

Andrey Konovalov

@andreyknvl

3 years

Slides for my "Fuzzing the Linux kernel" talk at PHDays 2021. Roughly the same content as for the LF Mentorship talk, but organized differently.

2021, PHDays: Fuzzing the Linux kernel

Fuzzing the Linux kernel Andrey Konovalov, xairy.io May 20th 2021

docs.google.com

2

70

218

Andrey Konovalov

@andreyknvl

5 years

syzbot has started reporting bugs in the Linux kernel USB drivers that can be triggered by a malicious USB device:

3

85

194

Andrey Konovalov

@andreyknvl

3 years

I released an update to the collection of Linux kernel exploitation materials. Features work by @theflow0 , @chompie1337 , @a13xp0p0v , @tklengyel , @azz_maher , @pwningsystems , @0xGlider , @Markak_ , and others whom I failed to find on Twitter.

July/August updates · xairy/linux-kernel-exploitation@136d14d

github.com

4

51

179

Andrey Konovalov

@andreyknvl

7 years

Compiled together a bunch of links related to Linux kernel exploitation:

GitHub - xairy/linux-kernel-exploitation: A collection of links related to Linux kernel security...

A collection of links related to Linux kernel security and exploitation - xairy/linux-kernel-exploitation

github.com

0

114

176

Andrey Konovalov

@andreyknvl

4 years

Slides for my "Memory Tagging for the Kernel: Tag-Based KASAN" talk at Android Security Symposium:

2020, Android Security Symposium: Memory Tagging for the Kernel: Tag-Based KASAN

Memory Tagging for the Kernel: Tag-Based KASAN Andrey Konovalov Android Security Symposium July 7th 2020

docs.google.com

1

52

146

Andrey Konovalov

@andreyknvl

3 years

As of April 1st, I no longer work at Google. I decided to take a gap year and explore what's it like to work on my own. I'll still be doing kernel stuff, though, and keeping an eye out for KASAN/KCOV patches.

15

6

148

Andrey Konovalov

@andreyknvl

2 years

My "Fuzzing the Linux kernel" talk from PHDays 2021 is now available in text in both English and Russian. Thanks to folks from @XakepRU for transcribing and translating! English: Russian:

Распуши пингвина! Разбираем способы фаззинга ядра Linux

Последние пять лет я ищу уязвимости в ядре Linux с помощью фаззинга. За эти годы у меня скопилась коллекция ссылок и наработок. Сейчас я расскажу, какие есть способы фаззить ядро, и дам советы...

xakep.ru

4

39

145

Andrey Konovalov

@andreyknvl

6 years

Exploit for CVE-2017-18344: Details:

2

81

141

Andrey Konovalov

@andreyknvl

3 years

The cool part about eBPF-based rootkits is portability. A kernel module–based rootkit needs to be rebuilt when a new kernel is deployed.

4

36

138

Andrey Konovalov

@andreyknvl

4 years

Linux Kernel Runtime Guard (LKRG) bypass collection by Ilya Matveychikov, CC @Adam_pi3

GitHub - milabs/lkrg-bypass: LKRG bypass methods

LKRG bypass methods. Contribute to milabs/lkrg-bypass development by creating an account on GitHub.

github.com

2

61

135

Andrey Konovalov

@andreyknvl

4 years

Nice! FTR, Meltdown can still also be used on Linux to bypass KASLR by leaking some IDT entries.

Blue Frost Security

@bluefrostsec

4 years

Thought Meltdown was dead? See how @NicoEconomou revived it by leaking the KVA Shadow Mappings and breaking KASLR on latest Windows 10

4

99

183

2

37

128

Andrey Konovalov

@andreyknvl

4 years

A collection of Linux kernel KASLR bypasses made by @_bcoles

GitHub - bcoles/kasld: Kernel Address Space Layout Derandomization (KASLD) - A collection of...

Kernel Address Space Layout Derandomization (KASLD) - A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing K...

github.com

1

63

127

Andrey Konovalov

@andreyknvl

4 years

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers by @haehyun_cho Slides: Video: Paper: CC @Glider

0

47

128

Andrey Konovalov

@andreyknvl

8 months

The "Randomized slab caches for kmalloc()" patch was merged into mainline. With CONFIG_RANDOM_KMALLOC_CACHES=y, each kmalloc cache is split into 16. kmalloc uses a random one for each allocation based on the code location. Choices change every reboot.

1

36

113

Andrey Konovalov

@andreyknvl

1 year

Updates for the Linux kernel exploitation collection.

September/October updates · xairy/linux-kernel-exploitation@69dc662

And a few November ones as well.

github.com

0

29

112

Andrey Konovalov

@andreyknvl

3 years

My LF Mentorship Series talk on Fuzzing the Linux kernel: Video: Slides: Thanks to everyone who attended and those who asked questions!

Mentorship Session: Fuzzing the Linux Kernel

www.youtube.com

0

39

113

Andrey Konovalov

@andreyknvl

5 years

An overview of existing approaches to USB fuzzing:

0

40

105

Andrey Konovalov

@andreyknvl

3 years

Healer, a kernel fuzzer inspired by syzkaller. Written in Rust. By .

GitHub - SunHao-0/healer: Kernel fuzzer inspired by Syzkaller.

Kernel fuzzer inspired by Syzkaller. Contribute to SunHao-0/healer development by creating an account on GitHub.

github.com

1

25

107

Andrey Konovalov

@andreyknvl

1 year

Looks like this issue is now called EntryBleed 😎 Btw, as known by those who have taken my training 😉, you can use SIDT to find out the address of IDT (on CPUs without UMIP), so you don't even need to brute-force.

Andrey Konovalov

@andreyknvl

4 years

Nice! FTR, Meltdown can still also be used on Linux to bypass KASLR by leaking some IDT entries.

2

37

128

1

21

103

Andrey Konovalov

@andreyknvl

3 years

Another batch of updates for the Linux kernel exploitation materials collection.

January/February updates · xairy/linux-kernel-exploitation@1dce3ec

github.com

0

29

103

Andrey Konovalov

@andreyknvl

4 years

Nice talk about CFI in the Linux kernel by @kees_cook Slides: Video:

"Control Flow Integrity in the Linux Kernel" - Kees Cook (LCA 2020)

Kees Cookhttps://lca2020.linux.org.au/schedule/presentation/84/Like all C/C++ programs, the Linux Kernel regularly suffers from memory corruption flaws. A co...

www.youtube.com

2

27

101

Andrey Konovalov

@andreyknvl

8 years

Wrote a PoC for Linux kernel KASLR bypass via timing prefetch. Inspired by a blogpost by @anders_fogh . PoC is here:

3

67

92

Andrey Konovalov

@andreyknvl

6 months

Instructions for enabling MTE for the kernel on Pixel 8 by @kees_cook . Do not require unlocking the bootloader.

1

33

92

Andrey Konovalov

@andreyknvl

3 years

Another update for the Linux kernel exploitation collection.

2

21

87

Andrey Konovalov

@andreyknvl

1 year

Authored 122 Linux kernel commits in 2022! 🥳 Almost all are KASAN/MTE-related: vmalloc tagging, better stack trace reporting for the tag-based modes, and various improvements for bug reporting and tests.

1

3

86

Andrey Konovalov

@andreyknvl

4 years

USB Raw Gadget (an interface that allows to emulate USB devices through the USB Gadget subsystem) has been merged into mainline:

4

29

85

Andrey Konovalov

@andreyknvl

2 years

Slides and video from my Fuzzing USB with Raw Gadget talk at @BSidesMunich . 🤖 Raw Gadget — a new interface for emulating USB devices 🪶 Fuzzing via virtual controllers 🔌 Reproducing bugs via Raspberry Pi Zero Slides: Video:

BSidesMunich 2022 Main stage

Live stream of the BSidesMunich 2022 main stageUse the Discord space for Q&A. See https://2022.bsidesmunich.org for more details.

www.youtube.com

1

30

85

Andrey Konovalov

@andreyknvl

2 years

Pushed an update for the Linux kernel exploitation collection.

March/April updates · xairy/linux-kernel-exploitation@654cfca

github.com

0

20

83

Andrey Konovalov

@andreyknvl

7 years

Started working on adding external USB fuzzing support to syzkaller =)

2

32

78

Andrey Konovalov

@andreyknvl

4 years

Implemented a PoC for disabling kernel lockdown on Ubuntu via a keyboard emulated through USB/IP, CC @mjg59

GitHub - xairy/unlockdown: Disabling kernel lockdown on Ubuntu without physical access

Disabling kernel lockdown on Ubuntu without physical access - xairy/unlockdown

github.com

2

27

81

Andrey Konovalov

@andreyknvl

8 years

CVE-2016-2384: arbitrary code execution due to a double-free in the usb-midi linux kernel driver

CVE-2016-2384: Exploiting a double-free in the USB-MIDI Linux kernel driver

× The content has been moved to https://xairy.io/articles/cve-2016-2384

xairy.github.io

1

81

77

Andrey Konovalov

@andreyknvl

4 years

Yet another memory corruption in Linux kernel packet sockets, CVE-2020-14386, by @0xorco .

0

34

76

Andrey Konovalov

@andreyknvl

4 years

Additions to the Linux kernel exploitation materials collection from the last few months.

Summer updates · xairy/linux-kernel-exploitation@01cbfb0

github.com

0

22

72

Andrey Konovalov

@andreyknvl

4 months

A few of my Exploiting the Linux Kernel training sessions for this year are now public 🥳 Unlike in the last year, these sessions are solely focused on exploitation. So no KASAN or syzkaller but more hardcore exploits 😎 See the list below 👇

2

13

69

Andrey Konovalov

@andreyknvl

9 months

Realized it was KASAN's 10th birthday a few days ago 🥳 On August 5th 2013, a fix for the very first Linux kernel bug both me and KASAN found was committed to the mainline. I suppose it's reasonable to consider that date the birthday 😄

3

11

71

Andrey Konovalov

@andreyknvl

4 years

Gonna join @a13xp0p0v 's party :) All of my Linux kernel security related talks, articles, exploits, etc. are listed here:

About

Linux kernel • Binary exploitation • Hardware hacking

xairy.github.io

0

19

70

Andrey Konovalov

@andreyknvl

2 years

A bit delayed due to holidays, but here's another update for the Linux kernel exploitation collection.

November/December updates · xairy/linux-kernel-exploitation@bf13e7e

And a couple of January ones too.

github.com

0

20

66

Andrey Konovalov

@andreyknvl

4 years

Posted a patchset that adds Hardware Tag-Based KASAN mode, that is based on arm64 Memory Tagging Extension:

2

22

65

Andrey Konovalov

@andreyknvl

2 years

Each of the Linux kernel Sanitizers now has an out-of-tree home page. Mostly, they contain links to kernel documentation, but putting them together gives a nice overview of what Sanitizers there are and what they do.

Linux Kernel Sanitizers

Linux Kernel Sanitizers, fast bug-detectors for the Linux kernel

google.github.io

1

24

65

Andrey Konovalov

@andreyknvl

1 year

On May 22–25th, I'll be delivering a 4-day "Attacking the Linux Kernel" training at @offensive_con in Berlin. Covers KASAN, syzkaller, and writing exploits. See the training page for details 😋

offensivecon

@offensive_con

1 year

Attacking the Linux Kernel by @andreyknvl

0

3

7

2

9

64

Andrey Konovalov

@andreyknvl

2 months

Updates for the Linux kernel exploitation collection 😋

January/February updates · xairy/linux-kernel-exploitation@3e74a5a

github.com

0

14

62

Andrey Konovalov

@andreyknvl

3 years

A short blog post about implementing syntax highlighting of syzkaller descriptions for GitHub Pages.

2

8

59

Andrey Konovalov

@andreyknvl

2 years

On December 5–6th, I'll be delivering a 2-day "Attacking the Linux Kernel" training at Black Hat Europe in London. Super excited, first time I'm delivering a training at a major international conference 🥳 @BlackHatEvents #BHEU

1

9

58

Andrey Konovalov

@andreyknvl

4 years

Additions to the Linux kernel exploitation materials collection from the last couple of months:

September/October updates · xairy/linux-kernel-exploitation@bedc708

github.com

0

19

58

Andrey Konovalov

@andreyknvl

3 years

And the video is live! You can find the slides here:

1

21

57

Andrey Konovalov

@andreyknvl

4 years

Linux kernel 5.5 includes kcov extension that allows to collect code coverage from background kernel threads:

0

20

57

Andrey Konovalov

@andreyknvl

3 years

Recent additions to the Linux kernel exploitation materials collection.

May/June updates · xairy/linux-kernel-exploitation@9712109

github.com

0

15

55

Andrey Konovalov

@andreyknvl

4 months

0-day KASLR bypass for Debian/Ubuntu kernels by @p1k4l4 😋

bcoles

@_bcoles

4 months

Nice #KASLR break by @p1k4l4 for x86_64 kernels with Xen support (Debian and Ubuntu by default). Xen symbols are included in the kernel ELF .notes section and exposed world readable via SysFS (/sys/kernel/notes) since 2007 (pre-KASLR). Added to KASLD:

1

7

29

2

5

54

Andrey Konovalov

@andreyknvl

2 years

On May 16th, I'll be giving a talk about fuzzing Linux kernel USB drivers via Raw Gadget and syzkaller at @BSidesMunich . If you're in Munich, come join in person. The last batch of conference tickets should go live on Monday, April 25th, at 20:00 CET.

1

9

54

Andrey Konovalov

@andreyknvl

1 year

Attacking the Linux Kernel at Zer0Con in Seoul on April 9–12th. The first 4-day training session I'll be delivering this year 🥳 Covers: 🐞 Analyzing bugs with KASAN 🔍 Fuzzing with syzkaller 🗡 Writing privilege escalation exploits More details:

POC_Crew 👨‍👩‍👦‍👦

@POC_Crew

1 year

[Zer0Con2023 Training] - "On-Spot, 4days course" Andrey Konovalov( @andreyknvl ), "Attacking the Linux Kernel - Advanced" Register: #Zer0con2023

0

3

19

0

7

52

Andrey Konovalov

@andreyknvl

4 years

Posted the next bunch of Linux kernel USB CVEs on oss-security:

0

14

51

Andrey Konovalov

@andreyknvl

3 years

A new batch of updates for the Linux kernel security materials collection.

March/April updates · xairy/linux-kernel-exploitation@c946d3b

github.com

1

10

47

Andrey Konovalov

@andreyknvl

11 months

Great example of reusing KASAN shadow memory to build a new type of a bug detector! Full paper: I think we can add similar simpler checks to KASAN itself; filed a bug for this:

VUSec

@vu5ec

11 months

Our uncontained paper @USENIXSecurity is online! Find out how the Linux kernel is the "container of" several type confusion bugs, detected by our sanitizer & static analyzer. Joint work by @JakobKoschel @borrello_pietro @dcdelia @herbertbos @c_giuffrida :

0

49

139

1

6

48

Andrey Konovalov

@andreyknvl

2 years

Updates to the Linux kernel exploitation collection from the last two months.

May/June updates · xairy/linux-kernel-exploitation@7d7653a

github.com

0

8

46

Andrey Konovalov

@andreyknvl

4 years

Updated yet again

GitHub - xairy/linux-kernel-exploitation: A collection of links related to Linux kernel security...

A collection of links related to Linux kernel security and exploitation - xairy/linux-kernel-exploitation

github.com

0

18

44

Andrey Konovalov

@andreyknvl

1 year

Updates for the Linux kernel exploitation collection.

March/April updates · xairy/linux-kernel-exploitation@5ec0dd2

github.com

0

5

45

Andrey Konovalov

@andreyknvl

3 years

Apparently, I authored 84 Linux kernel commits last year (KASAN, kcov, USB) — a personal record for me :)

0

43

Andrey Konovalov

@andreyknvl

5 years

Using KASAN and syzkaller to fuzz the XNU kernel

panicall

@panicaII

5 years

Please get the slides from BHEU here: Or you can get ppt + poc here:

1

26

78

1

15

43

Andrey Konovalov

@andreyknvl

2 years

And merged! Over 60 patches, combined with a few clean-ups. Memory Tagging–based KASAN can now prevent malicious accesses to non-executable vmalloc allocations.

Andrey Konovalov

@andreyknvl

2 years

Posted v1 of the patch series that adds vmalloc tagging support to Memory Tagging–based KASAN. This will prevent certain types of vmalloc-out-of-bounds bugs on MTE-enabled devices.

0

8

35

2

4

43

Andrey Konovalov

@andreyknvl

8 months

Updates for the Linux kernel exploitation collection.

July/August updates · xairy/linux-kernel-exploitation@9221d36

github.com

0

6

42

Andrey Konovalov

@andreyknvl

7 months

Looks like Apple is getting ready for MTE 😃 No MTE instructions in the XNU code just yet, but there is an obscure reference to more potential implementations of their memory tagging interface besides TBI-based KASAN.

matteyeux

@matteyeux

8 months

What could be a tagged address 🫣

1

25

1

6

41

Andrey Konovalov

@andreyknvl

4 years

Getting closer to having production-ready Memory Tagging in the kernel, posted another patchset that adds boot parameters to control some KASAN features:

0

9

42

Andrey Konovalov

@andreyknvl

4 years

Did an "Introduction to USB hacking" stream on Sunday (USB 101, BadUSB, Facedancer, Linux Gadget, fuzzing, sniffing). The stream was in Russian, but the slides and other materials are in English:

1

14

41

Andrey Konovalov

@andreyknvl

11 months

My next 4-day "Attacking the Linux Kernel" training will be at @HITBSecConf Phuket on August 21–24th 😎 Covers KASAN, syzkaller, and exploitation. See the training page for details 🧐 Promo code for a discount: 2Q1K-ALKT-QHGL

0

10

42

Andrey Konovalov

@andreyknvl

3 years

Christmas updates for Linux kernel exploitation materials. Happy holidays!

November/December updates · xairy/linux-kernel-exploitation@fc90834

github.com

0

11

40

Andrey Konovalov

@andreyknvl

1 year

Updates for the Linux kernel exploitation collection.

January/February updates · xairy/linux-kernel-exploitation@072111e

github.com

0

6

39

Andrey Konovalov

@andreyknvl

1 year

Updates for the Linux kernel exploitation collection.

November/December updates · xairy/linux-kernel-exploitation@938abc1

github.com

0

9

38

Andrey Konovalov

@andreyknvl

3 months

syzkaller snippets highlighting has been finally picked up by GitHub Pages 🥳 syzkaller added a few new syzlang features since I implemented this, so snippets with those will not be highlighted properly. But the basic support is there. Demo:

Demo for syzkaller snippets highlighting

See 🌈 Highlighting syzkaller descriptions syntax with Rouge for details.

xairy.github.io

Andrey Konovalov

@andreyknvl

3 years

TL;DR: I implemented syzlang syntax highlighting based on Rouge, the default highlighter used by GitHub Pages. Here's a demo:

1

3

10

1

11

39

Andrey Konovalov

@andreyknvl

6 years

Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem

0

28

37

Andrey Konovalov

@andreyknvl

4 years

Things Not to Do When Using an IOMMU by Ilja van Sprundel & Joseph Tartaro. Includes examples of bugs in Linux kernel DMA-based drivers.

Things not to do when using an IOMMU | Ilja van Sprundel & Joseph...

Hardwear.io Security Conference Netherlands 2020Talk Title:Things not to do when using an IOMMUAbstract:Back in the old days, when devices wanted to share da...

www.youtube.com

0

10

36

Andrey Konovalov

@andreyknvl

5 years

15 more CVEs (2 still not fixed :) in Linux kernel USB drivers found with syzkaller:

0

11

35

Andrey Konovalov

@andreyknvl

3 years

"eBPF, I thought we were friends!" by Guillaume Fournier and Sylvain Afchain Video: Slides:

DEF CON 29 - Guillaume Fournier, Sylvain Afchain, Sylvain Baubeau -...

Since its first appearance in Kernel 3.18, eBPF (Extended Berkley Packet Filter) has progressively become a key technology for observability in the Linux ker...

www.youtube.com

1

6

37

Andrey Konovalov

@andreyknvl

3 years

I was at Google for 5 years, and I had a chance to work on many aspects of kernel security: bug detectors, fuzzers, exploits, mitigations. Many thanks to my team, it was an outstanding experience! @kayseesee @dvyukov @0xGlider @maelver

1

2

36

Andrey Konovalov

@andreyknvl

4 years

When you add new descriptions for some subsystem into syzkaller (in this case for fuzzing ath9k driver over USB):

1

7

35

Andrey Konovalov

@andreyknvl

2 years

Posted v1 of the patch series that adds vmalloc tagging support to Memory Tagging–based KASAN. This will prevent certain types of vmalloc-out-of-bounds bugs on MTE-enabled devices.

0

8

35

Andrey Konovalov

@andreyknvl

4 months

Updates for the Linux kernel exploitation collection 😋

November/December updates · xairy/linux-kernel-exploitation@5e443a8

github.com

0

3

34

Andrey Konovalov

@andreyknvl

3 months

syzkaller descriptions now have support for conditional fields 👍 This is when a structure field (or a union option) is only present when the value of another field satisfies a specified condition. Documentation:

0

5

35

Andrey Konovalov

@andreyknvl

1 year

Heads-up for KASAN users: starting with 6.3, bad accesses via memcpy, memmove, or memset are not detected on x86 [1] unless you build the kernel with Clang 15+ or not-yet-released GCC 13.1+ [2]. [1] [2]

0

10

34

Andrey Konovalov

@andreyknvl

3 months

The overall process included fiddling with Linux kernel drivers, xHCI, DWC3, ACPI, BIOS/UEFI, Boot Guard, TPM, NVRAM, PCH, PMC, PSF, IOSF, and P2SB, and making a custom USB cable 😱

2

4

33

Andrey Konovalov

@andreyknvl

2 years

The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one!

1

2

31

Andrey Konovalov

@andreyknvl

2 years

Commit: fuse: fix pipe buffer lifetime for direct_io Description: bad splice'ing into a pipe from fuse Reported-by: @tehjh Fixes: commit from 2010 Hmm... Dirty Fused Pipe? :)

1

8

29

Andrey Konovalov

@andreyknvl

2 years

We're working on a less expensive edition with , but it's not fully ready at the moment. Here's a teaser nevertheless:

0

31

Andrey Konovalov

@andreyknvl

6 months

Updates for the Linux kernel exploitation collection.

September/October updates · xairy/linux-kernel-exploitation@ad1e940

github.com

0

4

30

Andrey Konovalov

@andreyknvl

3 years

Tomorrow (March 2nd) at 16:30 CET (7:30 PST) I'll be mentoring a @linuxfoundation webinar session: Fuzzing Linux Kernel Agenda: kernel fuzzing overview, approaches, and tips.

Mentorship Session: Fuzzing Linux Kernel | LF Events

A complimentary live mentorship session that connects subject matter experts with attendees through a live webinar and Q&A session.

events.linuxfoundation.org

0

8

31

Andrey Konovalov

@andreyknvl

2 years

As an update to this: I'll continue working on KASAN/MTE (which you might have noticed I already do if you monitor KASAN patches :) & supporting Google as a part-time external consultant for the foreseeable future.

Andrey Konovalov

@andreyknvl

3 years

As of April 1st, I no longer work at Google. I decided to take a gap year and explore what's it like to work on my own. I'll still be doing kernel stuff, though, and keeping an eye out for KASAN/KCOV patches.

15

6

148

0

1

30

Andrey Konovalov

@andreyknvl

5 years

Reported-by: syzbot =)

Maddie Stone

@maddiestone

5 years

Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit. @tehjh and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker.

20

424

943

0

3

30

Andrey Konovalov

@andreyknvl

3 years

Includes an exploit that obtains a kernel read/write/execute primitive: