Unlike the Linux kernel exploitation training, this course focuses on vulnerability discovery and root cause analysis rather than developing proof of concept code for specific kernel versions and bypassing various kernel exploitation mitigations. We will discuss a few publicly available kernel fuzzing frameworks and focus on practical approaches for kernel fuzzing.
The first part of this training focuses on common classes of kernel vulnerabilities and ways to identify these vulnerabilities through automated testing and/or static code analysis techniques. Though several fuzzing options / frameworks are discussed, the main focus is on practical fuzzing approaches with code coverage. The training starts off with an introduction to code coverage and implementation details for coverage collection in the kernel. We will discuss various input mutation techniques and ways to improve code coverage (e.g., collecting "live" samples and input deduplication). Some static code analysis techniques for identifying common vulnerabilities will be presented as well, e.g., writing your own LLVM plugins and performing taint analysis to trace user inputs. Several common types of kernel vulnerabilities will be discussed in detail and then generalised as "patterns" that are useful for static analysis.
The second part is dedicated to root cause analysis, i.e., analysing the vulnerability once a stable reproducer is obtained or developing the reproducer if the crash is not stable. Several useful kernel debugging techniques that can aid in root cause analysis will be discussed.
We strongly advise taking the kernel exploitation training first unless you are already familiar with common kernel vulnerability classes / exploitation techniques.
We generally run a couple of public trainigs sessions per year (first half of the year) in Europe or Asia. You can sign up below to receive public training schedule notifications.
For a private training contact us directly.