Training - Linux Kernel Exploitation Techniques

Linux kernel exploitation techniques on x86_64

Skill level: Intermediate

Duration: 3 or 4 days

Instructor: Vitaly Nikolenko

Course description:

The number of user-land exploitation countermeasures outweighs the kernel protection mechanisms implemented by most modern distributions. Due to the complexity associated with exploiting user-land vulnerabilities, Linux kernel, with its huge publicly available codebase, has become an appealing target for exploit developers. A successful exploitation of a kernel vulnerability generally results in privilege escalation bypassing any user-land protections and exploit mitigations implemented by the OS.

This course teaches common kernel exploitation techniques on modern Linux distributions (x86_x64 architecture and 3.x/4.x kernels). It provides up-to-date information on current kernel hardening implementations and exploit mitigations. It is designed for students already familiar with user-land exploitation who want to play with the heart of the OS and gain fundamental knowledge required to develop reliable and effective kernel exploits. The course is structured as several theory modules (providing the necessary background material), followed by hands-on lab exercises demonstrating learned concepts in practice.

Even though this course is designed for beginners in kernel exploitation, a number of more advanced topics, such as reliable exploitation of heap vulnerabilities and SMEP/SMAP/KPTI bypasses, are discussed. The last day covers the more advanced material related to heap vulnerabilities and race conditions in the kernel. This course primarily concentrates on the exploitation phase, though some guidelines for vulnerability analysis will be discussed as well. The goal of this training is to demonstrate general exploitation concepts that can be applied to common classes of kernel memory corruption vulnerabilities.

The three-day course covers the necessary kernel exploitation background starting from various privilege escalation techniques to SMAP bypasses. The four-day version of this course is more advanced and focuses on bypasses for current kernel exploitation mitigations (software and hardware) with more advanced topics such as exploitation in interrupt context.

This course is largely self-contained but please ensure you meet the entry requirements detailed below.

Prerequisites:

Familiarity with x86(_64) architecture
Linux working proficiency
C and assembly programming knowledge
Familiarity with GDB (GNU Debugger)
Fundamental knowledge of common classes of vulnerabilities (e.g., stack and heap overflows, integer type conversion vulnerabilities and overflows, etc.) and user-space exploitation techniques

Who should attend:

Reverse engineers, bug hunters and exploit developers
Information security professionals experienced in user-land exploitation

Hardware and software:

Base OS - Windows, macOS, Linux
At least 8 GB of RAM
At least 20GB of free disk space
VMWare Workstation (v9+) or Fusion (v5+) - trial version is sufficient

Key learning objectives:

Privilege escalation techniques
Exploitation of integer vulnerabilities
Exploitation of kernel heap and stack vulnerabilities
Reliable exploitation of use-after-free (UAF) vulnerabilities on SMP systems
SMEP/SMAP/KPTI bypasses

Course agenda:

Introduction to Linux kernel exploits
Kernel debugging
GDB scripting engine and developing helper scripts
Dynamic debugging with kprobes / jprobes
Privilege escalation techniques
Read/write (controlled, partially-controlled and uncontrolled) primitives and ret2usr attacks
Architecture-specific exploitation techniques
Fixating the system and recovering the kernel state
Information leaks (environment and code-based)
Out of bounds (OOB) access vulnerabilities
Integer vulnerabilities (signedness, typecasting, overflows)
Kernel stack overflows
Dynamic memory management/SLAB allocator
Heap vulnerabilities (heap overflows, UAF, off-by-X)
Reliable UAF exploitation on SMP systems
Supervisor Mode Execution Protection / Access Protection / Kernel Page Table Isolation bypasses
Current UAF exploitation countermeasures and bypasses
Kernel race conditions
Universal heap sprays
Double fetches
Latest kernel exploitation mitigations

Misc files:

GDB kernel debugging cheatsheet

Public Schedule

» Linux kernel exploitation techniques (x86_64) 4 days: 2 - 5 September 2019 Singapore - SOLD OUT
» Linux kernel exploitation techniques (x86_64) 4 days: 30 September - 3 October 2019 Sydney, Australia - CLOSED
» Linux kernel exploitation techniques (x86_64) 4 days: 21 - 24 October 2019 Singapore - SOLD OUT
» Android kernel security: 10 - 13 February 2020 Berlin, Germany - OffensiveCon - SOLD OUT
» Android kernel security (3-days) 15 - 17 June 2020 Seoul, Korea - CANCELLED DUE TO COVID-19

Training Announcements

We generally run a couple of public trainigs sessions per year (first half of the year) in Europe or Asia. You can sign up below to receive public training schedule notifications.

For a private training contact us directly.