Kernel-Security-Learning
Anything about kernel security. CTF kernel pwn & kernel exploit, kernel fuzz and kernel defense paper & kernel debugging technique & kernel CVE debug.
Keep updating...
1. CTF
- linux内核漏洞利用初探(1):环境配置
- linux内核漏洞利用初探(2):demo-null_dereference
- linux内核漏洞利用初探(3):demo-stack_overflow
- 【Linux内核漏洞利用】2018强网杯core_栈溢出
- 【Linux内核漏洞利用】CISCN2017-babydriver_UAF漏洞
- 【Linux内核漏洞利用】0CTF2018-baby-double-fetch
- 【Linux内核漏洞利用】强网杯2018-solid_core-任意读写
- 【linux内核漏洞利用】StringIPC—从任意读写到权限提升三种方法
- 【linux内核漏洞利用】STARCTF 2019 hackme—call_usermodehelper提权路径变量总结
- 【linux内核漏洞利用】WCTF 2018 klist—竞争UAF-pipe堆喷
- 【linux内核漏洞利用】TokyoWesternsCTF-2019-gnote Double-Fetch
- 【linux内核userfaultfd使用】Balsn CTF 2019 - KrazyNote
- linux内核提权系列教程(1):堆喷射函数sendmsg与msgsend利用
- linux内核提权系列教程(2):任意地址读写到提权的4种方法
- linux内核提权系列教程(3):栈变量未初始化漏洞
- 【linux内核漏洞利用】ret2dir利用方法
- 【内核漏洞利用】绕过CONFIG_SLAB_FREELIST_HARDENED防护—kernoob两种解法
- 【Exploit trick】Linux内核中利用msg_msg结构实现任意地址读写
- 【Exploit trick】针对 cred 结构的 cross cache 利用(corCTF 2022-cache-of-castaways)
- 【Exploit trick】利用poll_list对象构造kmalloc-32任意释放 (corCTF 2022-CoRJail)
2. Paper
(1)kernel exploit
- 2014-USENIX:ret2dir: Rethinking Kernel Isolation
- 2015-CCS:From collision to exploitation_ Unleashing Use-After-Free vulnerabilities in Linux Kernel
- 2016-CCS:Prefetch Side-Channel Attacks - Bypassing SMAP and Kernel ASLR
- 2016-CCS:Breaking Kernel Address Space Layout Randomization with Intel TSX
- 2017-CCS:SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
- 2017-NDSS:Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying — 【note】
- 2018-USENIX:FUZE-Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities — 【note】【tool-FUZE】
- 2019-USENIX:KEPLER-Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities — 【note】【tool-KEPLER】
- 2019-CCS:SLAKE-Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel — 【note】【tool-SLAKE】
- 2020-USENIX:KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities — 【note】【note2】【tool-KOOBE】
- 2020-CCS:A Systematic Study of Elastic Objects in Kernel Exploitation — 【note】【note2】【tool-ELOISE】
- 2020-WOOT:Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
- 2021-USENIX:ExpRace: Exploiting Kernel Races through Raising Interrupts — 【note】
- 2021-CCS:Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization — 【note】
- 2022-USENIX:SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel — 【toolSyzScope】
- 2022-USENIX:Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability — 【note】
- 2022-S&P:GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs — 【tool-GREBE】
- 2022-NDSS:Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
- 2022-CCS:DirtyCred: Escalating Privilege in Linux Kernel — 【note】
- 2023-USENIX:PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique — 【note】 【note2】
- 2023-S&P:AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities — 【note】
- 2023-S&P:When Top-down Meets Bottom-up: Detecting and Exploiting Use-After-Cleanup Bugs in Linux Kernel — 【note】 【note2】
(2)kernel vulerability detection
- 2012-OSDI:Improving integer security for systems with KINT
- 2014-Black Hat:QSEE TrustZone Kernel Integer Overflow
- 2014-USENIX:Static Analysis of Variability in System Software - The 90, 000 #ifdefs Issue
- 2014-OSDI:SKI:Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration
- 2015-SOSP:Cross-checking semantic correctness: The case of finding file system bugs — 【tool-JUXTA】
- 2016-USENIX:UniSan-Proactive Kernel Memory Initialization to Eliminate Data Leakages — 【note】【tool-unisan】
- 2016-USENIX:APISan: Sanitizing API Usages through Semantic Cross-Checking — 【tool-apisan】
- 2017-EUROSYS:DangSan - Scalable Use-after-free Detection — 【tool-dangsan】
- 2017-USENIX-ATC:CAB-Fuzz:Practical Concolic Testing Techniques for {COTS} Operating Systems
- 2017-CCS:DIFUZE-Interface Aware Fuzzing for Kernel Drivers — 【note】【tool-difuze】
- 2017-USENIX:Digtool- A Virtualization-Based Framework for Detecting Kernel Vulnerabilities-usenix — 【note】【note2】【note3】【note4】
- 2017-USENIX:How Double-Fetch Situations turn into DoubleFetch — 【note】【tool】
- 2017-USENIX:DR. CHECKER- A Soundy Analysis for Linux Kernel Drivers — 【tool-dr_checker】
- 2017-USENIX:kAFL- Hardware-Assisted Feedback Fuzzing for OS Kernels — 【note】【tool-kAFL】
- 2018-S&P:DEADLINE-Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels — 【note】【note2】【note3】【tool-DEADLINE】
- 2018-CCS:Check It Again- Detecting Lacking-Recheck Bugs in OS Kernels — 【note】【note2】【tool-LRSan】
- 2018-USENIX:MoonShine:Optimizing OS Fuzzer Seed Selection with Trace Distillation — 【note】【note2】【tool-moonshine】
- 2018-NDSS:K-Miner: Uncovering Memory Corruption in Linux — 【note】【note2】【tool-K-Miner】
- 2019-S&P:Razzer:Finding Kernel Race Bugs through Fuzzing — 【note】【note2】【note3】【tool-razzer】
- 2019-WOOT-Workshop:Unicorefuzz- On the Viability of Emulation for Kernelspace Fuzzing — 【tool-unicorefuzz】
- 2019-FSE:Detecting Concurrency Memory Corruption Vulnerabilities — 【tool-CONVUL】
- 2019-S&P:Fuzzing File Systems via Two-Dimensional Input Space Exploration — 【note】 【note2】【tool-JANUS】
- 2019-USENIX:Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences — 【tool-CRIX】
- 2019-USENIX-ATC:Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers — 【note】
- 2019-NDSS:PeriScope:An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary — 【note】【tool-periscope】
- 2018-USENIX-ATC:DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules
- 2020-TOCS:Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel
- 2020-NDSS:HFL: Hybrid Fuzzing on the Linux Kernel — 【note】【note2】【note3】
- 2020-S&P:Krace: Data Race Fuzzing for Kernel File Systems — 【note】
- 2020-USENIX:Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints — presentation
- 2020-USENIX:Muzz: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs — 【note】
- 2020-CCS:Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection —【note】
- 2020-FSE:UBITect: A Precise and Scalable Method to Detect Use-Before-Initialization Bugs in Linux Kernel — 【note】
- 2020-LPC:KCSAN-Data-race detection in the Linux kernel
- 2021-NDSS:Detecting Kernel Memory Leaks in Specialized Modules With Ownership Reasoning — 【note】
- 2021-NDSS:KUBO: Precise and Scalable Detection of User-triggerable Undefined Behavior Bugs in OS Kernel — 【note】
- 2021-USENIX:Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking — 【note】
- 2021-USENIX:Understanding and Detecting Disordered Error Handling with Precise Function Pairing — 【note】
- 2021-USENIX:An Analysis of Speculative Type Confusion Vulnerabilities in the Wild
- 2021-USENIX:Static Detection of Unsafe DMA Accesses in Device Drivers — 【note】
- 2021-CCS:Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels — 【note】 【note2】
- 2021-CCS:Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths — 【note】
- 2021-SOSP:HEALER: Relation Learning Guided Kernel Fuzzing — 【tool-healer】 【note】 【note2】 【note3】
- 2021-S&P:A Novel Dynamic Analysis Infrastructure to Instrument Untrusted Execution Flow Across User-Kernel Spaces
- 2022-NDSS:An In-depth Analysis of Duplicated Linux Kernel Bug Reports
- 2022-NDSS:Progressive Scrutiny-Incremental Detection of UBI bugs in the Linux Kernel — 【note】
- 2022-NDSS:Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators — 【note】 【note2】
- 2022-USENIX:LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution — 【note】 【note2】
- 2022-USENIX:OS-Aware Vulnerability Prioritization via Differential Severity Analysis
- 2023-NDSS:No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions
- 2023-USENIX:FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules — 【note】
- 2023-S&P:SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers
- 2023-S&P:Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis
- 2023-S&P:SEGFUZZ: Segmentizing Thread Interleaving to Discover Kernel Concurrency Bugs through Fuzzing
(3)kernel defense
- 2011-NDSS:Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
- 2011-NDSS:SigGraph - Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures
- 2011-NDSS:Efficient Monitoring of Untrusted Kernel-Mode Execution
- 2012-NDSS:Kruiser - Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
- 2012-OSDI:Improving Integer Security for Systems with KINT
- 2012-S&P:Smashing the Gadgets - Hindering Return-Oriented Programming Using In-place Code Randomization
- 2012-USS:Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
- 2013-EUROSYS:Process firewalls - protecting processes during resource access
- 2013-NDSS:Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring
- 2013-S&P:Just-In-Time Code Reuse - On the Effectiveness of Fine-Grained Address Space Layout Randomization
- 2014-CCS:A Tale of Two Kernels - Towards Ending Kernel Hardening Wars with Split Kernel
- 2014-NDSS:ROPecker - A Generic and Practical Approach For Defending Against ROP Attacks
- 2014-OSDI:Jitk - A Trustworthy In-Kernel Interpreter Infrastructure
- 2014-S&P:KCoFI - Complete Control-Flow Integrity for Commodity Operating System Kernels
- 2014-S&P:Dancing with Giants - Wimpy Kernels for On-Demand Isolated I/O
- 2015-NDSS:Preventing Use-after-free with Dangling Pointers Nullification
- 2016-NDSS:Enforcing Kernel Security Invariants with Data Flow Integrity
- 2016-OSDI:Light-Weight Contexts - An OS Abstraction for Safety and Performance
- 2016-OSDI:EbbRT - A Framework for Building Per-Application Library Operating Systems
- 2017-EUROSYS:A Characterization of State Spill in Modern Operating Systems
- 2017-EUROSYS:kRˆX: Comprehensive Kernel Protection Against Just-In-Time Code Reuse 【slides】
- 2017-NDSS:PT-Rand - Practical Mitigation of Data-only Attacks against Page Tables
- 2017-S&P:NORAX - Enabling Execute-Only Memory for COTS Binaries on AArch64
- 2017-CCS:FreeGuard - A Faster Secure Heap Allocator
- 2017-USENIX:Lock-in-Pop - Securing Privileged Operating System Kernels by Keeping on the Beaten Path
- 2017-USENIX:Can’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory
- 2017-USENIX:Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers
- 2019-S&P:LBM - A Security Framework for Peripherals within the Linux Kernel
- 2019-S&P:SoK - Shining Light on Shadow Stacks
- 2019-S&P:SoK - Sanitizing for Security
- 2019-USENIX:PeX: A Permission Check Analysis Framework for Linux Kernel
- 2019-USENIX:ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
- 2019-USENIX:LXDs - Towards Isolation of Kernel Subsystems
- 2019-USENIX:SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization
- 2020-S&P:xMP: Selective Memory Protection for Kernel and User Space
- 2020-S&P:SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation — 【note】
- 2021-USENIX:Undo Workarounds for Kernel Bugs
- 2021-USENIX:SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening
- 2021-USENIX:Preventing Use-After-Free Attacks with Fast Forward Allocation
- 2022-USENIX:Midas: Systematic Kernel TOCTTOU Protection
- 2023-S&P:EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation
- 2023-S&P:uSwitch: Fast Kernel Context Isolation with Implicit Context Switches
other resources:
- security things in every version of Linux mainline
- PaX code analysis
- A Decade of Linux Kernel Vulnerabilities, their Mitigation and Open Problems-2017
- 10_years_of_linux_security_by_grsecurity_2020—— security mechanism timeline
- linux-kernel-defence-map
- linux_mitigations
- The State of Kernel Self Protection-2018
(4) Android
- 2020-USEINX:Automatic Hot Patch Generation for Android Kernels—自动给安卓打补丁 【note】
3. CVE
- Linux kernel 4.20 BPF 整数溢出漏洞分析
- 【kernel exploit】CVE-2016-9793 错误处理负值导致访问用户空间
- 【kernel exploit】CVE-2017-5123 null任意地址写漏洞
- 【CVE-2017-7184】Linux xfrm模块越界读写提权漏洞分析
- 【kernel exploit】CVE-2017-6074 DCCP拥塞控制协议Double-Free提权分析
- 【kernel exploit】CVE-2017-7308 AF_PACKET 环形缓冲区溢出漏洞
- 【kernel exploit】CVE-2017-8890 Phoenix Talon漏洞分析与利用
- 【kernel exploit】CVE-2017-11176 竞态Double-Free漏洞调试
- 【CVE-2017-16995】Linux ebpf模块整数扩展问题导致提权漏洞分析
- 【kernel exploit】CVE-2017-1000112 UDP报文处理不一致导致堆溢出
- 【kernel exploit】CVE-2018-5333 空指针引用漏洞
- 【kernel exploit】CVE-2019-8956 sctp_sendmsg()空指针引用漏洞
- 【kernel exploit】CVE-2019-9213 逻辑漏洞绕过 mmap_min_addr 限制
- 【kernel exploit】CVE-2019-15666 xfrm UAF 8字节写NULL提权分析
- 【kernel exploit】CVE-2020-8835:eBPF verifier 错误处理导致越界读写
- 【kernel exploit】BPF漏洞挖掘与CVE-2020-27194 整数溢出漏洞
- 【kernel exploit】CVE-2021-3156 sudo漏洞分析与利用
- 【kernel exploit】CVE-2021-26708 四字节写特殊竞争UAF转化为内核任意读写
- 【kernel exploit】CVE-2021-31440 eBPF边界计算错误漏洞
- 【kernel exploit】CVE-2021-3490 eBPF 32位边界计算错误漏洞
- 【kernel exploit】CVE-2021-22555 2字节堆溢出写0漏洞提权分析
- 【kernel exploit】CVE-2021-41073 内核类型混淆漏洞利用分析
- 【kernel exploit】CVE-2021-4154 错误释放任意file对象-DirtyCred利用
- 【kernel exploit】CVE-2021-42008 6pack协议解码溢出漏洞利用
- 【kernel exploit】CVE-2021-43267 TIPC协议MSG_CRYPTO消息溢出利用
- 【kernel exploit】CVE-2022-0847 Dirty Pipe 漏洞分析与利用
- 【kernel exploit】CVE-2022-0185 File System Context 整数溢出漏洞利用
- 【kernel exploit】CVE-2022-0995 堆溢出1比特置1漏洞利用
- 【kernel exploit】CVE-2022-1015 nftables 栈溢出漏洞分析与利用
- 【kernel exploit】CVE-2022-2588 Double-free 漏洞 DirtyCred 利用
- 【kernel exploit】CVE-2022-2602 UNIX_GC错误释放io_uring注册的file结构-UAF
- 【kernel exploit】CVE-2022-2639 openvswitch模块kmalloc-0x10000堆溢出利用(pipe_buffer任意文件写技术)
- 【kernel exploit】CVE-2022-25636 nftables OOB写堆指针漏洞利用
- 从 PWN2OWN CVE-2022-27666 看内核页风水
- 【kernel exploit】CVE-2022-32250 nftables错误链表操作导致UAF写的漏洞利用
- 【kernel exploit】CVE-2022-34918 nftable堆溢出漏洞利用(list_head任意写)
4. Tool
- syzkaller 源码阅读笔记1(syz-extract & syz-sysgen)
- syzkaller 源码阅读笔记2(syz-manager)
- syzkaller 源码阅读笔记3(syz-fuzzer)
5. Debug & other techniques
- linux双机调试
- linux内核漏洞利用初探(1):环境配置
- 【linux内核调试】SystemTap使用技巧
- 【linux内核调试】使用Ftrace来Hook linux内核函数
- 【linux内核调试】ftrace/kprobes/SystemTap内核调试方法对比
- 【KVM】KVM学习—实现自己的内核