Please hit me up if you want a 15% discount voucher for the Exploiting the Linux Kernel training session at RomHack in September. I have a few, valid only until the end of this week.
WTF,
@github
is planning to ban me.
No idea why. Hosting proof-of-concept code? Having given talks at Russian conferences? Holding a Russian passport (even though I've been a German resident for last 6 years)? No meaningful explanation given.
Any good decentralized githubs yet?
Wrote an article about
#fuzzing
the Linux kernel network stack externally with
#syzkaller
.
The article covers:
🧰 Introduction to syzkaller
💉 Using TUN/TAP for packet injection
👽 Integrating TUN/TAP via pseudo-syscalls
🏆 Showcases of found bugs
Wrote an article about turning a ThinkPad X1 Carbon 6th Gen laptop into a programmable USB device by enabling the xDCI controller 😯
Now I can emulate USB devices from the laptop without external hardware, including via Raw Gadget or even Facedancer 😁
Memory tagging is coming to kill all of your favorite Linux kernel exploits.
I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in chat to answer questions.
Slides for "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools", the talk I just gave at Linux Security Summit Europe 2022.
Covers:
🐧 Generic KASAN implementation
🔥 Other Sanitizers
🗡 Extending KASAN and KMSAN to find more bugs
A set of Linux binary exploitation tasks for beginners for various architectures (x86, x86-64, arm, arm64, mips, mips64, ppc, ppc64, sparc64 on the way):
If anyone who's around in Paris for
@hexacon_fr
wants to acquire a USB-Cereal adapter — hit me up.
This adapter is a convenient replacement for the Android Debug Cable. Essentially splits the USB port into two: one with UART with kernel logs, the other is a pass-through for ADB.
As of April 1st, I no longer work at Google. I decided to take a gap year and explore what's it like to work on my own.
I'll still be doing kernel stuff, though, and keeping an eye out for KASAN/KCOV patches.
My "Fuzzing the Linux kernel" talk from PHDays 2021 is now available in text in both English and Russian.
Thanks to folks from
@XakepRU
for transcribing and translating!
English:
Russian:
The "Randomized slab caches for kmalloc()" patch was merged into mainline.
With CONFIG_RANDOM_KMALLOC_CACHES=y, each kmalloc cache is split into 16. kmalloc uses a random one for each allocation based on the code location. Choices change every reboot.
Looks like this issue is now called EntryBleed 😎
Btw, as known by those who have taken my training 😉, you can use SIDT to find out the address of IDT (on CPUs without UMIP), so you don't even need to brute-force.
Authored 122 Linux kernel commits in 2022! 🥳
Almost all are KASAN/MTE-related: vmalloc tagging, better stack trace reporting for the tag-based modes, and various improvements for bug reporting and tests.
Slides and video from my Fuzzing USB with Raw Gadget talk at
@BSidesMunich
.
🤖 Raw Gadget — a new interface for emulating USB devices
🪶 Fuzzing via virtual controllers
🔌 Reproducing bugs via Raspberry Pi Zero
Slides:
Video:
A few of my Exploiting the Linux Kernel training sessions for this year are now public 🥳
Unlike in the last year, these sessions are solely focused on exploitation. So no KASAN or syzkaller but more hardcore exploits 😎
See the list below 👇
Realized it was KASAN's 10th birthday a few days ago 🥳
On August 5th 2013, a fix for the very first Linux kernel bug both me and KASAN found was committed to the mainline. I suppose it's reasonable to consider that date the birthday 😄
Each of the Linux kernel Sanitizers now has an out-of-tree home page. Mostly, they contain links to kernel documentation, but putting them together gives a nice overview of what Sanitizers there are and what they do.
On May 22–25th, I'll be delivering a 4-day "Attacking the Linux Kernel" training at
@offensive_con
in Berlin.
Covers KASAN, syzkaller, and writing exploits. See the training page for details 😋
On December 5–6th, I'll be delivering a 2-day "Attacking the Linux Kernel" training at Black Hat Europe in London.
Super excited, first time I'm delivering a training at a major international conference 🥳
@BlackHatEvents
#BHEU
Nice
#KASLR
break by
@p1k4l4
for x86_64 kernels with Xen support (Debian and Ubuntu by default).
Xen symbols are included in the kernel ELF .notes section and exposed world readable via SysFS (/sys/kernel/notes) since 2007 (pre-KASLR).
Added to KASLD:
On May 16th, I'll be giving a talk about fuzzing Linux kernel USB drivers via Raw Gadget and syzkaller at
@BSidesMunich
.
If you're in Munich, come join in person. The last batch of conference tickets should go live on Monday, April 25th, at 20:00 CET.
Attacking the Linux Kernel at Zer0Con in Seoul on April 9–12th. The first 4-day training session I'll be delivering this year 🥳
Covers:
🐞 Analyzing bugs with KASAN
🔍 Fuzzing with syzkaller
🗡 Writing privilege escalation exploits
More details:
Great example of reusing KASAN shadow memory to build a new type of a bug detector!
Full paper:
I think we can add similar simpler checks to KASAN itself; filed a bug for this:
And merged! Over 60 patches, combined with a few clean-ups. Memory Tagging–based KASAN can now prevent malicious accesses to non-executable vmalloc allocations.
Posted v1 of the patch series that adds vmalloc tagging support to Memory Tagging–based KASAN. This will prevent certain types of vmalloc-out-of-bounds bugs on MTE-enabled devices.
Looks like Apple is getting ready for MTE 😃
No MTE instructions in the XNU code just yet, but there is an obscure reference to more potential implementations of their memory tagging interface besides TBI-based KASAN.
Getting closer to having production-ready Memory Tagging in the kernel, posted another patchset that adds boot parameters to control some KASAN features:
Did an "Introduction to USB hacking" stream on Sunday (USB 101, BadUSB, Facedancer, Linux Gadget, fuzzing, sniffing). The stream was in Russian, but the slides and other materials are in English:
My next 4-day "Attacking the Linux Kernel" training will be at
@HITBSecConf
Phuket on August 21–24th 😎
Covers KASAN, syzkaller, and exploitation. See the training page for details 🧐
Promo code for a discount: 2Q1K-ALKT-QHGL
syzkaller snippets highlighting has been finally picked up by GitHub Pages 🥳
syzkaller added a few new syzlang features since I implemented this, so snippets with those will not be highlighted properly. But the basic support is there.
Demo:
I was at Google for 5 years, and I had a chance to work on many aspects of kernel security: bug detectors, fuzzers, exploits, mitigations. Many thanks to my team, it was an outstanding experience!
@kayseesee
@dvyukov
@0xGlider
@maelver
Posted v1 of the patch series that adds vmalloc tagging support to Memory Tagging–based KASAN. This will prevent certain types of vmalloc-out-of-bounds bugs on MTE-enabled devices.
syzkaller descriptions now have support for conditional fields 👍
This is when a structure field (or a union option) is only present when the value of another field satisfies a specified condition.
Documentation:
Heads-up for KASAN users: starting with 6.3, bad accesses via memcpy, memmove, or memset are not detected on x86 [1] unless you build the kernel with Clang 15+ or not-yet-released GCC 13.1+ [2].
[1]
[2]
The overall process included fiddling with Linux kernel drivers, xHCI, DWC3, ACPI, BIOS/UEFI, Boot Guard, TPM, NVRAM, PCH, PMC, PSF, IOSF, and P2SB, and making a custom USB cable 😱
The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one!
Commit: fuse: fix pipe buffer lifetime for direct_io
Description: bad splice'ing into a pipe from fuse
Reported-by:
@tehjh
Fixes: commit from 2010
Hmm... Dirty Fused Pipe? :)
Tomorrow (March 2nd) at 16:30 CET (7:30 PST) I'll be mentoring a
@linuxfoundation
webinar session:
Fuzzing Linux Kernel
Agenda: kernel fuzzing overview, approaches, and tips.
As an update to this: I'll continue working on KASAN/MTE (which you might have noticed I already do if you monitor KASAN patches :) & supporting Google as a part-time external consultant for the foreseeable future.
As of April 1st, I no longer work at Google. I decided to take a gap year and explore what's it like to work on my own.
I'll still be doing kernel stuff, though, and keeping an eye out for KASAN/KCOV patches.
Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit.
@tehjh
and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker.