Linux kernel exploitation techniques on x86_64
Skill level: Intermediate
Duration: 3 or 4 days
Instructor: Vitaly Nikolenko
Delivery: On-site or online

Course description:

The number of user-land exploitation countermeasures outweighs the kernel protection mechanisms implemented by most modern distributions. Due to the complexity associated with exploiting user-land vulnerabilities, Linux kernel, with its huge publicly available codebase, has become an appealing target for exploit developers. A successful exploitation of a kernel vulnerability generally results in privilege escalation bypassing any user-land protections and exploit mitigations implemented by the OS.

This course teaches common kernel exploitation techniques on modern Linux distributions (x86_x64 architecture and 3.x/4.x kernels). It provides up-to-date information on current kernel hardening implementations and exploit mitigations. It is designed for students already familiar with user-land exploitation who want to play with the heart of the OS and gain fundamental knowledge required to develop reliable and effective kernel exploits. The course is structured as several theory modules (providing the necessary background material), followed by hands-on lab exercises demonstrating learned concepts in practice.

Even though this course is designed for beginners in kernel exploitation, a number of more advanced topics, such as reliable exploitation of heap vulnerabilities and SMEP/SMAP/KPTI bypasses, are discussed. The last day covers the more advanced material related to heap vulnerabilities and race conditions in the kernel. This course primarily concentrates on the exploitation phase, though some guidelines for vulnerability analysis will be discussed as well. The goal of this training is to demonstrate general exploitation concepts that can be applied to common classes of kernel memory corruption vulnerabilities.

The three-day course covers the necessary kernel exploitation background starting from various privilege escalation techniques to SMAP bypasses. The four-day version of this course is more advanced and focuses on bypasses for current kernel exploitation mitigations (software and hardware) with more advanced topics such as exploitation in interrupt context.

This course is largely self-contained but please ensure you meet the entry requirements detailed below.

  • Familiarity with x86(_64) architecture
  • Linux working proficiency
  • C and assembly programming knowledge
  • Familiarity with GDB (GNU Debugger)
  • Fundamental knowledge of common classes of vulnerabilities (e.g., stack and heap overflows, integer type conversion vulnerabilities and overflows, etc.) and user-space exploitation techniques
Who should attend:
  • Reverse engineers, bug hunters and exploit developers
  • Information security professionals experienced in user-land exploitation
Hardware and software:
  • Base OS - Windows, macOS, Linux
  • At least 8 GB of RAM
  • At least 20GB of free disk space
  • VMWare Workstation (v9+) or Fusion (v5+) - trial version is sufficient
Key learning objectives:
  • Privilege escalation techniques
  • Exploitation of integer vulnerabilities
  • Exploitation of kernel heap and stack vulnerabilities
  • Reliable exploitation of use-after-free (UAF) vulnerabilities on SMP systems
  • SMEP/SMAP/KPTI bypasses
Course agenda:
  • Introduction to Linux kernel exploits
  • Kernel debugging
  • GDB scripting engine and developing helper scripts
  • Dynamic debugging with kprobes / jprobes
  • Privilege escalation techniques
  • Read/write (controlled, partially-controlled and uncontrolled) primitives and ret2usr attacks
  • Architecture-specific exploitation techniques
  • Fixating the system and recovering the kernel state
  • Information leaks (environment and code-based)
  • Out of bounds (OOB) access vulnerabilities
  • Integer vulnerabilities (signedness, typecasting, overflows)
  • Kernel stack overflows
  • Dynamic memory management/SLAB allocator
  • Heap vulnerabilities (heap overflows, UAF, off-by-X)
  • Reliable UAF exploitation on SMP systems
  • Supervisor Mode Execution Protection / Access Protection / Kernel Page Table Isolation bypasses
  • Current UAF exploitation countermeasures and bypasses
  • Kernel race conditions
  • Universal heap sprays
  • Latest kernel exploitation mitigations
Recommended reading material:
Misc files:

GDB kernel debugging cheatsheet

  • Do I need to have any kernel development background?
  • It definitely helps but not required. This training is largely self-contained and you should be fine as long as you meet the course prerequisites listed above.
  • Is C and assembly knowledge essential?
  • Yes. Even though the kernel is open-source, assembly knowledge is essential in exploit development (e.g., kernel ROP/JOP chains or even day to day kernel debugging since the kernel is heavily optimised). C knowledge goes without saying.
  • I'm new to Linux kernel exploitation but I'm more interested in Android/ARM64 kernel exploitation. Should I start with x86_64?
  • We would normally recommend starting with x86_64 if you are new to Linux kernel exploitation - not because this training is "easier" than the Android kernel security training but it is more self-contained and there is a minimum level of assumed knowledge. It is also more convenient to use VMs and debug the kernel on x86_64.
  • Can I use Qemu or VirtualBox instead?
  • We will be using the builtin VMware gdbstub for kernel debugging. It is quite stable and provides a cross-platform solution (i.e., any host OS) ideal for trainings.
  • I still prefer to use Qemu (KVM) on a Linux host for kernel debugging and I'm not new to kernel debugging.
  • Sure, feel free to use Qemu then. You will need to convert VMware disk images to something like qcow2 though.
  • I missed this training session. When is the next training session scheduled?
  • We normally do 2 public training sessions per year. The dates change every year and there is no fixed schedule. If you are signed up to training notifications, you will get a schedule notice about 2 months in advance.
  • Can this training be delivered online?
  • Yes, at the moment we deliver public trainings online only.
Training Announcements

There are generally two public trainigs sessions per year (first half of the year) in Europe or Asia. You can sign up below to receive public training schedule notifications.

For a private training contact us directly.