Advanced Linux Kernel Exploitation Techniques

Skill level: Advanced

Duration: 3 days

Delivery: in-person, private

Instructors: Vitaly Nikolenko and Filippo Morano


Course description:

This course is an extension to the kernel exploitation techniques training. It is aimed at experienced Linux kernel researches already familiar with common kernel exploitation techniques. The focus is on more advanced kernel exploitation techniques based on real life vulnerabilities and the latest kernel exploitation mitigations on x86_64. Though practical examples are specific to x86_64, most of the concepts are generic and can be applied to other architectures.

The training material covers latest exploitation mitigations and kernel hardening implementation details. Kernel exploitation mitigations starting from 4.9 up to 5.x will be the main focus of this training. The emphasis is on heap-related vulnerabilities and manipulation of exploit primitives to bypass Supervisor Mode Access Protection (SMAP). Virtual memory management and SLUB implementation will be discussed in detail to help understand certain corner cases and mitigations associated with exploitation of heap-related vulnerabilities.

This hands-on training is structured similarly to the Linux kernel exploitation techniques course where theory material is followed by a practical lab demonstrating the concept in action. Please note there will no introductory material to kernel debugging, architecture design, etc. We strongly advise taking the kernel exploitation training first unless you are already familiar with common kernel vulnerability classes / exploitation techniques.

Prerequisites:

  • C / Python / x86 assembly knowledge
  • Experience in Linux kernel exploitation / knowledge of common Linux kernel vulnerability classes (consider taking Linux kernel exploitation techniques x86_64 first)
  • Familiarity with GDB (GNU Debugger)

Who should attend:

  • Linux kernel / Android security researchers

Hardware and software:

  • Base OS - Linux x86_64
  • QEMU w/ KVM
  • At least 40GB of free disk space
  • At least 8GB of RAM

Key learning objectives:

  • Advanced kernel exploitation scenarios
  • Latest kernel exploitation mitigations
  • Virtual memory management (page allocator / SLUB)
  • Exploitation primitive manipulations

Course agenda:

  • Kernel exploitation primitive transformations: upgrading weaker primitives
  • Hardened usercopy
  • SLUB debugging techniques
    • Compound pages – Per-cpu caches
    • Metadata storage
  • SLUB freelist pointer randomisation
  • Use-after-free
  • Heap overflows with freelist randomisation
  • Double fetches
  • Race conditions
  • Heap manipulation techniques
    • Slab reallocations and collisions
  • Memory control groups
  • SMAP (Supervisor Access Mode Protection) bypasses
  • kASLR (Kernel Address Space Layout Randomisation)

Public Schedule

Training Announcements