Kernel-Security-Learning

Anything about kernel security. CTF kernel pwn & kernel exploit, kernel fuzz and kernel defense paper & kernel debugging technique & kernel CVE debug.

Keep updating...

---

1. CTF

1. linux内核漏洞利用初探（1）：环境配置
2. linux内核漏洞利用初探（2）：demo-null_dereference
3. linux内核漏洞利用初探（3）：demo-stack_overflow
4. 【Linux内核漏洞利用】2018强网杯core_栈溢出
5. 【Linux内核漏洞利用】CISCN2017-babydriver_UAF漏洞
6. 【Linux内核漏洞利用】0CTF2018-baby-double-fetch
7. 【Linux内核漏洞利用】强网杯2018-solid_core-任意读写
8. 【linux内核漏洞利用】StringIPC—从任意读写到权限提升三种方法
9. 【linux内核漏洞利用】STARCTF 2019 hackme—call_usermodehelper提权路径变量总结
10. 【linux内核漏洞利用】WCTF 2018 klist—竞争UAF-pipe堆喷
11. 【linux内核漏洞利用】TokyoWesternsCTF-2019-gnote Double-Fetch
12. 【linux内核userfaultfd使用】Balsn CTF 2019 - KrazyNote
13. linux内核提权系列教程（1）：堆喷射函数sendmsg与msgsend利用
14. linux内核提权系列教程（2）：任意地址读写到提权的4种方法
15. linux内核提权系列教程（3）：栈变量未初始化漏洞
16. 【linux内核漏洞利用】ret2dir利用方法
17. 【内核漏洞利用】绕过CONFIG_SLAB_FREELIST_HARDENED防护—kernoob两种解法

---

2. Paper

（1）kernel exploit

1. 2014-USENIX：ret2dir: Rethinking Kernel Isolation
2. 2015-CCS：From collision to exploitation_ Unleashing Use-After-Free vulnerabilities in Linux Kernel
3. 2016-CCS：Prefetch Side-Channel Attacks - Bypassing SMAP and Kernel ASLR
4. 2016-CCS：Breaking Kernel Address Space Layout Randomization with Intel TSX
5. 2017-CCS：SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
6. 2017-NDSS：Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying — 【note】
7. 2018-USENIX：FUZE-Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities — 【note】【tool-FUZE】
8. 2019-USENIX：KEPLER-Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities — 【note】【tool-KEPLER】
9. 2019-CCS：SLAKE-Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel — 【note】【tool-SLAKE】
10. 2020-USENIX：KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities — 【note】【note2】【tool-KOOBE】
11. 2020-CCS：A Systematic Study of Elastic Objects in Kernel Exploitation — 【note】【note2】【tool-ELOISE】
12. 2020-WOOT：Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers

（2）kernel vulerability detection

1. 2012-OSDI：Improving integer security for systems with KINT
2. 2014-Black Hat：QSEE TrustZone Kernel Integer Overflow
3. 2014-USENIX：Static Analysis of Variability in System Software - The 90, 000 #ifdefs Issue
4. 2014-OSDI：SKI：Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration
5. 2015-SOSP：Cross-checking semantic correctness: The case of finding file system bugs — 【tool-JUXTA】
6. 2016-USENIX：UniSan-Proactive Kernel Memory Initialization to Eliminate Data Leakages — 【note】【tool-unisan】
7. 2016-USENIX：APISan: Sanitizing API Usages through Semantic Cross-Checking — 【tool-apisan】
8. 2017-EUROSYS：DangSan - Scalable Use-after-free Detection — 【tool-dangsan】
9. 2017-USENIX-ATC：CAB-Fuzz：Practical Concolic Testing Techniques for {COTS} Operating Systems
10. 2017-CCS：DIFUZE-Interface Aware Fuzzing for Kernel Drivers — 【note】【tool-difuze】
11. 2017-USENIX：Digtool- A Virtualization-Based Framework for Detecting Kernel Vulnerabilities-usenix — 【note】【note2】【note3】【note4】
12. 2017-USENIX：How Double-Fetch Situations turn into DoubleFetch — 【note】【tool】
13. 2017-USENIX：DR. CHECKER- A Soundy Analysis for Linux Kernel Drivers — 【tool-dr_checker】
14. 2017-USENIX：kAFL- Hardware-Assisted Feedback Fuzzing for OS Kernels — 【note】【tool-kAFL】
15. 2018-S&P：DEADLINE-Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels — 【note】【note2】【note3】【tool-DEADLINE】
16. 2018-CCS：Check It Again- Detecting Lacking-Recheck Bugs in OS Kernels — 【note】【note2】【tool-LRSan】
17. 2018-USENIX：MoonShine：Optimizing OS Fuzzer Seed Selection with Trace Distillation — 【note】【note2】【tool-moonshine】
18. 2018-NDSS：K-Miner: Uncovering Memory Corruption in Linux — 【note】【note2】【tool-K-Miner】
19. 2019-S&P：Razzer：Finding Kernel Race Bugs through Fuzzing — 【note】【note2】【note3】【tool-razzer】
20. 2019-WOOT-Workshop：Unicorefuzz- On the Viability of Emulation for Kernelspace Fuzzing — 【tool-unicorefuzz】
21. 2019-FSE：Detecting Concurrency Memory Corruption Vulnerabilities — 【tool-CONVUL】
22. 2019-S&P：Fuzzing File Systems via Two-Dimensional Input Space Exploration — 【note】 【note2】【tool-JANUS】
23. 2019-USENIX：Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences — 【tool-CRIX】
24. 2019-USENIX-ATC：Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers — 【note】
25. 2019-NDSS：PeriScope：An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary — 【note】【tool-periscope】
26. 2018-USENIX-ATC：DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules
27. 2020-TOCS：Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel
28. 2020-NDSS：HFL: Hybrid Fuzzing on the Linux Kernel — 【note】【note2】【note3】
29. 2020-S&P：Krace: Data Race Fuzzing for Kernel File Systems — 【note】
30. 2020-USENIX：Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints — presentation
31. 2020-USENIX：Muzz: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs — 【note】
32. 2020-CCS：Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection —【note】
33. 2020-FSE：UBITect: A Precise and Scalable Method to Detect Use-Before-Initialization Bugs in Linux Kernel — 【note】
34. 2020-LPC：KCSAN-Data-race detection in the Linux kernel
35. 2021-NDSS：Detecting Kernel Memory Leaks in Specialized Modules With Ownership Reasoning — 【note】
36. 2021-NDSS：KUBO: Precise and Scalable Detection of User-triggerable Undefined Behavior Bugs in OS Kernel — 【note】

（3）kernel defense

1. 2011-NDSS：Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
2. 2011-NDSS：SigGraph - Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures
3. 2011-NDSS：Efficient Monitoring of Untrusted Kernel-Mode Execution
4. 2012-NDSS：Kruiser - Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
5. 2012-OSDI：Improving Integer Security for Systems with KINT
6. 2012-S&P：Smashing the Gadgets - Hindering Return-Oriented Programming Using In-place Code Randomization
7. 2012-USS：Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
8. 2013-EUROSYS：Process firewalls - protecting processes during resource access
9. 2013-NDSS：Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring
10. 2013-S&P：Just-In-Time Code Reuse - On the Effectiveness of Fine-Grained Address Space Layout Randomization
11. 2014-CCS：A Tale of Two Kernels - Towards Ending Kernel Hardening Wars with Split Kernel
12. 2014-NDSS：ROPecker - A Generic and Practical Approach For Defending Against ROP Attacks
13. 2014-OSDI：Jitk - A Trustworthy In-Kernel Interpreter Infrastructure
14. 2014-S&P：KCoFI - Complete Control-Flow Integrity for Commodity Operating System Kernels
15. 2014-S&P：Dancing with Giants - Wimpy Kernels for On-Demand Isolated I/O
16. 2015-NDSS：Preventing Use-after-free with Dangling Pointers Nullification
17. 2016-NDSS：Enforcing Kernel Security Invariants with Data Flow Integrity
18. 2016-OSDI：Light-Weight Contexts - An OS Abstraction for Safety and Performance
19. 2016-OSDI：EbbRT - A Framework for Building Per-Application Library Operating Systems
20. 2017-EUROSYS：A Characterization of State Spill in Modern Operating Systems
21. 2017-EUROSYS：kRˆX: Comprehensive Kernel Protection Against Just-In-Time Code Reuse 【slides】
22. 2017-NDSS：PT-Rand - Practical Mitigation of Data-only Attacks against Page Tables
23. 2017-S&P：NORAX - Enabling Execute-Only Memory for COTS Binaries on AArch64
24. 2017-CCS：FreeGuard - A Faster Secure Heap Allocator
25. 2017-USENIX：Lock-in-Pop - Securing Privileged Operating System Kernels by Keeping on the Beaten Path
26. 2017-USENIX：Can’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory
27. 2017-USENIX：Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers
28. 2019-S&P：LBM - A Security Framework for Peripherals within the Linux Kernel
29. 2019-S&P：SoK - Shining Light on Shadow Stacks
30. 2019-S&P：SoK - Sanitizing for Security
31. 2019-USENIX：PeX: A Permission Check Analysis Framework for Linux Kernel
32. 2019-USENIX：ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
33. 2019-USENIX：LXDs - Towards Isolation of Kernel Subsystems
34. 2019-USENIX：SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization
35. 2020-S&P：xMP: Selective Memory Protection for Kernel and User Space
36. 2020-S&P：SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation —— 【note】

other resources：

1. security things in every version of Linux mainline
2. PaX code analysis
3. A Decade of Linux Kernel Vulnerabilities, their Mitigation and Open Problems-2017
4. 10_years_of_linux_security_by_grsecurity_2020—— security mechanism timeline
5. linux-kernel-defence-map
6. The State of Kernel Self Protection-2018

（4） Android

1. 2020-USEINX：Automatic Hot Patch Generation for Android Kernels—自动给安卓打补丁 【note】

---

3. CVE

1. Linux kernel 4.20 BPF 整数溢出漏洞分析
2. 【CVE-2017-16995】Linux ebpf模块整数扩展问题导致提权漏洞分析
3. 【CVE-2017-7184】Linux xfrm模块越界读写提权漏洞分析
4. 【kernel exploit】CVE-2017-11176 竞态Double-Free漏洞调试
5. 【kernel exploit】CVE-2020-8835：eBPF verifier 错误处理导致越界读写
6. 【kernel exploit】BPF漏洞挖掘与CVE-2020-27194 整数溢出漏洞
7. 【kernel exploit】CVE-2021-3156 sudo漏洞分析与利用

---

4. Tool

---

5. Debug & other techniques

1. linux双机调试
2. linux内核漏洞利用初探（1）：环境配置
3. 【linux内核调试】SystemTap使用技巧
4. 【linux内核调试】使用Ftrace来Hook linux内核函数
5. 【linux内核调试】ftrace/kprobes/SystemTap内核调试方法对比
6. 【KVM】KVM学习—实现自己的内核

---

Reference:

linux-security-papers

linux-kernel-exploitation

GoSSIP_Software Security Group