Home

Awesome

Kernel-Security-Learning

Anything about kernel security. CTF kernel pwn & kernel exploit, kernel fuzz and kernel defense paper & kernel debugging technique & kernel CVE debug.

Keep updating...


1. CTF

  1. linux内核漏洞利用初探(1):环境配置
  2. linux内核漏洞利用初探(2):demo-null_dereference
  3. linux内核漏洞利用初探(3):demo-stack_overflow
  4. 【Linux内核漏洞利用】2018强网杯core_栈溢出
  5. 【Linux内核漏洞利用】CISCN2017-babydriver_UAF漏洞
  6. 【Linux内核漏洞利用】0CTF2018-baby-double-fetch
  7. 【Linux内核漏洞利用】强网杯2018-solid_core-任意读写
  8. 【linux内核漏洞利用】StringIPC—从任意读写到权限提升三种方法
  9. 【linux内核漏洞利用】STARCTF 2019 hackme—call_usermodehelper提权路径变量总结
  10. 【linux内核漏洞利用】WCTF 2018 klist—竞争UAF-pipe堆喷
  11. 【linux内核漏洞利用】TokyoWesternsCTF-2019-gnote Double-Fetch
  12. 【linux内核userfaultfd使用】Balsn CTF 2019 - KrazyNote
  13. linux内核提权系列教程(1):堆喷射函数sendmsg与msgsend利用
  14. linux内核提权系列教程(2):任意地址读写到提权的4种方法
  15. linux内核提权系列教程(3):栈变量未初始化漏洞
  16. 【linux内核漏洞利用】ret2dir利用方法
  17. 【内核漏洞利用】绕过CONFIG_SLAB_FREELIST_HARDENED防护—kernoob两种解法
  18. 【Exploit trick】Linux内核中利用msg_msg结构实现任意地址读写
  19. 【Exploit trick】针对 cred 结构的 cross cache 利用(corCTF 2022-cache-of-castaways)
  20. 【Exploit trick】利用poll_list对象构造kmalloc-32任意释放 (corCTF 2022-CoRJail)

2. Paper

(1)kernel exploit

  1. 2014-USENIX:ret2dir: Rethinking Kernel Isolation
  2. 2015-CCS:From collision to exploitation_ Unleashing Use-After-Free vulnerabilities in Linux Kernel
  3. 2016-CCS:Prefetch Side-Channel Attacks - Bypassing SMAP and Kernel ASLR
  4. 2016-CCS:Breaking Kernel Address Space Layout Randomization with Intel TSX
  5. 2017-CCS:SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
  6. 2017-NDSS:Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying — 【note
  7. 2018-USENIX:FUZE-Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities — 【note】【tool-FUZE
  8. 2019-USENIX:KEPLER-Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities — 【note】【tool-KEPLER
  9. 2019-CCS:SLAKE-Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel — 【note】【tool-SLAKE
  10. 2020-USENIX:KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities — 【note】【note2】【tool-KOOBE
  11. 2020-CCS:A Systematic Study of Elastic Objects in Kernel Exploitation — 【note】【note2】【tool-ELOISE
  12. 2020-WOOT:Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
  13. 2021-USENIX:ExpRace: Exploiting Kernel Races through Raising Interrupts — 【note
  14. 2021-CCS:Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization — 【note
  15. 2022-USENIX:SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel — 【toolSyzScope
  16. 2022-USENIX:Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability — 【note
  17. 2022-S&P:GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs — 【note】 【note2】 【reproduce】 【tool-GREBE
  18. 2022-NDSS:Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel — 【note】 【tool-Kasper
  19. 2022-CCS:DirtyCred: Escalating Privilege in Linux Kernel — 【note
  20. 2023-USENIX:PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique — 【note】 【note2
  21. 2023-USENIX:AlphaEXP: An Expert System for Identifying Security-Sensitive Kernel Objects — 【note
  22. 2023-S&P:AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities — 【note
  23. 2023-S&P:When Top-down Meets Bottom-up: Detecting and Exploiting Use-After-Cleanup Bugs in Linux Kernel — 【note】 【note2
  24. 2023-CCS:RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections — 【note】 【tool-RetSpill
  25. 2024-NDSS: SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem - 【note】 【tool-SyzBridge
  26. 2024-NDSS: K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel - 【note】 【tool-K-LEAK
  27. 2024-USENIX:Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation
  28. 2024-USENIX:SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel - 【tool-SLUBStick
  29. 2024-USENIX:SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation

(2)kernel vulerability detection

  1. 2012-OSDI:Improving integer security for systems with KINT
  2. 2014-Black Hat:QSEE TrustZone Kernel Integer Overflow
  3. 2014-USENIX:Static Analysis of Variability in System Software - The 90, 000 #ifdefs Issue
  4. 2014-OSDI:SKI:Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration
  5. 2015-SOSP:Cross-checking semantic correctness: The case of finding file system bugs — 【tool-JUXTA
  6. 2016-USENIX:UniSan-Proactive Kernel Memory Initialization to Eliminate Data Leakages — 【note】【tool-unisan
  7. 2016-USENIX:APISan: Sanitizing API Usages through Semantic Cross-Checking — 【tool-apisan
  8. 2017-EUROSYS:DangSan - Scalable Use-after-free Detection — 【tool-dangsan
  9. 2017-USENIX-ATC:CAB-Fuzz:Practical Concolic Testing Techniques for {COTS} Operating Systems
  10. 2017-CCS:DIFUZE-Interface Aware Fuzzing for Kernel Drivers — 【note】【tool-difuze
  11. 2017-USENIX:Digtool- A Virtualization-Based Framework for Detecting Kernel Vulnerabilities-usenix — 【note】【note2】【note3】【note4
  12. 2017-USENIX:How Double-Fetch Situations turn into DoubleFetch — 【note】【tool
  13. 2017-USENIX:DR. CHECKER- A Soundy Analysis for Linux Kernel Drivers — 【tool-dr_checker
  14. 2017-USENIX:kAFL- Hardware-Assisted Feedback Fuzzing for OS Kernels — 【note】【tool-kAFL
  15. 2018-S&P:DEADLINE-Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels — 【note】【note2】【note3】【tool-DEADLINE
  16. 2018-CCS:Check It Again- Detecting Lacking-Recheck Bugs in OS Kernels — 【note】【note2】【tool-LRSan
  17. 2018-USENIX:MoonShine:Optimizing OS Fuzzer Seed Selection with Trace Distillation — 【note】【note2】【tool-moonshine
  18. 2018-NDSS:K-Miner: Uncovering Memory Corruption in Linux — 【note】【note2】【tool-K-Miner
  19. 2019-S&P:Razzer:Finding Kernel Race Bugs through Fuzzing — 【note】【note2】【note3】【tool-razzer
  20. 2019-WOOT-Workshop:Unicorefuzz- On the Viability of Emulation for Kernelspace Fuzzing — 【tool-unicorefuzz
  21. 2019-FSE:Detecting Concurrency Memory Corruption Vulnerabilities — 【tool-CONVUL
  22. 2019-S&P:Fuzzing File Systems via Two-Dimensional Input Space Exploration — 【note】 【note2】【tool-JANUS
  23. 2019-USENIX:Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences — 【tool-CRIX
  24. 2019-USENIX-ATC:Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers — 【note
  25. 2019-NDSS:PeriScope:An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary — 【note】【tool-periscope
  26. 2018-USENIX-ATC:DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules
  27. 2020-TOCS:Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel
  28. 2020-NDSS:HFL: Hybrid Fuzzing on the Linux Kernel — 【note】【note2】【note3
  29. 2020-S&P:Krace: Data Race Fuzzing for Kernel File Systems — 【note
  30. 2020-USENIX:Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpointspresentation
  31. 2020-USENIX:Muzz: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs — 【note
  32. 2020-CCS:Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection —【note
  33. 2020-FSE:UBITect: A Precise and Scalable Method to Detect Use-Before-Initialization Bugs in Linux Kernel — 【note
  34. 2020-LPC:KCSAN-Data-race detection in the Linux kernel
  35. 2021-NDSSDetecting Kernel Memory Leaks in Specialized Modules With Ownership Reasoning — 【note
  36. 2021-NDSS:KUBO: Precise and Scalable Detection of User-triggerable Undefined Behavior Bugs in OS Kernel — 【note
  37. 2021-USENIX:Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking — 【note
  38. 2021-USENIX:Understanding and Detecting Disordered Error Handling with Precise Function Pairing — 【note
  39. 2021-USENIX:An Analysis of Speculative Type Confusion Vulnerabilities in the Wild
  40. 2021-USENIX:Static Detection of Unsafe DMA Accesses in Device Drivers — 【note
  41. 2021-CCS:Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels — 【note】 【note2
  42. 2021-CCS:Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths — 【note
  43. 2021-SOSP:HEALER: Relation Learning Guided Kernel Fuzzing — 【tool-healer】 【note】 【note2】 【note3
  44. 2021-S&P:A Novel Dynamic Analysis Infrastructure to Instrument Untrusted Execution Flow Across User-Kernel Spaces
  45. 2022-NDSS:An In-depth Analysis of Duplicated Linux Kernel Bug Reports — 【note
  46. 2022-NDSS:Progressive Scrutiny-Incremental Detection of UBI bugs in the Linux Kernel — 【note
  47. 2022-NDSS:Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators — 【note】 【note2
  48. 2022-USENIX:LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution — 【note】 【note2
  49. 2022-USENIX:OS-Aware Vulnerability Prioritization via Differential Severity Analysis
  50. 2023-NDSS:No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions
  51. 2023-USENIX:FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules — 【note
  52. 2023-USENIX:Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness
  53. 2023-USENIX:BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing
  54. 2023-USENIX:ACTOR: Action-Guided Kernel Fuzzing
  55. 2023-USENIX:Uncontained: Uncovering Container Confusion in the Linux Kernel
  56. 2023-USENIX:DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing
  57. 2023-S&P:SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers — 【tool-SyzDescribe
  58. 2023-S&P:Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis
  59. 2023-S&P:SEGFUZZ: Segmentizing Thread Interleaving to Discover Kernel Concurrency Bugs through Fuzzing — 【tool-segfuzz
  60. 2023-CCS:SyzDirect: Directed Greybox Fuzzing for Linux Kernel — 【tool-Syzdirect
  61. 2024-NDSS: MOCK: Optimizing Kernel Fuzzing Mutation with Context-aware Dependency - 【tool-mock
  62. 2024-S&P: To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux' Wireless Stacks through VirtIO Devices - 【tool-Virtfuzz
  63. 2024-S&P: SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzingtool-SyzGen++

(3)kernel defense

  1. 2011-NDSS:Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions
  2. 2011-NDSS:SigGraph - Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures
  3. 2011-NDSS:Efficient Monitoring of Untrusted Kernel-Mode Execution
  4. 2012-NDSS:Kruiser - Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
  5. 2012-OSDI:Improving Integer Security for Systems with KINT
  6. 2012-S&P:Smashing the Gadgets - Hindering Return-Oriented Programming Using In-place Code Randomization
  7. 2012-USS:Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
  8. 2013-EUROSYS:Process firewalls - protecting processes during resource access
  9. 2013-NDSS:Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring
  10. 2013-S&P:Just-In-Time Code Reuse - On the Effectiveness of Fine-Grained Address Space Layout Randomization
  11. 2014-CCS:A Tale of Two Kernels - Towards Ending Kernel Hardening Wars with Split Kernel
  12. 2014-NDSS:ROPecker - A Generic and Practical Approach For Defending Against ROP Attacks
  13. 2014-OSDI:Jitk - A Trustworthy In-Kernel Interpreter Infrastructure
  14. 2014-S&P:KCoFI - Complete Control-Flow Integrity for Commodity Operating System Kernels
  15. 2014-S&P:Dancing with Giants - Wimpy Kernels for On-Demand Isolated I/O
  16. 2015-NDSS:Preventing Use-after-free with Dangling Pointers Nullification
  17. 2016-NDSS:Enforcing Kernel Security Invariants with Data Flow Integrity
  18. 2016-OSDI:Light-Weight Contexts - An OS Abstraction for Safety and Performance
  19. 2016-OSDI:EbbRT - A Framework for Building Per-Application Library Operating Systems
  20. 2017-EUROSYS:A Characterization of State Spill in Modern Operating Systems
  21. 2017-EUROSYS:kRˆX: Comprehensive Kernel Protection Against Just-In-Time Code Reuseslides
  22. 2017-NDSS:PT-Rand - Practical Mitigation of Data-only Attacks against Page Tables
  23. 2017-S&P:NORAX - Enabling Execute-Only Memory for COTS Binaries on AArch64
  24. 2017-CCS:FreeGuard - A Faster Secure Heap Allocator
  25. 2017-USENIX:Lock-in-Pop - Securing Privileged Operating System Kernels by Keeping on the Beaten Path
  26. 2017-USENIX:Can’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory
  27. 2017-USENIX:Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers
  28. 2019-S&P:LBM - A Security Framework for Peripherals within the Linux Kernel
  29. 2019-S&P:SoK - Shining Light on Shadow Stacks
  30. 2019-S&P:SoK - Sanitizing for Security
  31. 2019-USENIX:PeX: A Permission Check Analysis Framework for Linux Kernel
  32. 2019-USENIX:ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
  33. 2019-USENIX:LXDs - Towards Isolation of Kernel Subsystems
  34. 2019-USENIX:SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization
  35. 2020-S&P:xMP: Selective Memory Protection for Kernel and User Space
  36. 2020-S&P:SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation — 【note
  37. 2021-USENIX:Undo Workarounds for Kernel Bugs
  38. 2021-USENIX:SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening
  39. 2021-USENIX:Preventing Use-After-Free Attacks with Fast Forward Allocation
  40. 2022-NDSS:Preventing Kernel Hacks with HAKCs
  41. 2022-USENIX:Midas: Systematic Kernel TOCTTOU Protection
  42. 2023-S&P:EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation
  43. 2023-S&P:uSwitch: Fast Kernel Context Isolation with Implicit Context Switches
  44. 2023-USENIX:PET: Prevent Discovered Errors from Being Triggered in the Linux Kernel
  45. 2023-USENIX:A Hybrid Alias Analysis and Its Application to Global Variable Protection in the Linux Kernel
  46. 2024-USENIX:SeaK: Rethinking the Design of a Secure Allocator for OS Kernel

other resources:

  1. security things in every version of Linux mainline
  2. PaX code analysis
  3. A Decade of Linux Kernel Vulnerabilities, their Mitigation and Open Problems-2017
  4. 10_years_of_linux_security_by_grsecurity_2020—— security mechanism timeline
  5. linux-kernel-defence-map
  6. linux_mitigations
  7. The State of Kernel Self Protection-2018

(4) Android

  1. 2020-USEINX:Automatic Hot Patch Generation for Android Kernels—自动给安卓打补丁 【note

3. CVE

  1. Linux kernel 4.20 BPF 整数溢出漏洞分析
  2. 【kernel exploit】CVE-2016-9793 错误处理负值导致访问用户空间
  3. 【kernel exploit】CVE-2017-5123 null任意地址写漏洞
  4. 【CVE-2017-7184】Linux xfrm模块越界读写提权漏洞分析
  5. 【kernel exploit】CVE-2017-6074 DCCP拥塞控制协议Double-Free提权分析
  6. 【kernel exploit】CVE-2017-7308 AF_PACKET 环形缓冲区溢出漏洞
  7. 【kernel exploit】CVE-2017-8890 Phoenix Talon漏洞分析与利用
  8. 【kernel exploit】CVE-2017-11176 竞态Double-Free漏洞调试
  9. 【CVE-2017-16995】Linux ebpf模块整数扩展问题导致提权漏洞分析
  10. 【kernel exploit】CVE-2017-1000112 UDP报文处理不一致导致堆溢出
  11. 【kernel exploit】CVE-2018-5333 空指针引用漏洞
  12. 【kernel exploit】CVE-2019-8956 sctp_sendmsg()空指针引用漏洞
  13. 【kernel exploit】CVE-2019-9213 逻辑漏洞绕过 mmap_min_addr 限制
  14. 【kernel exploit】CVE-2019-15666 xfrm UAF 8字节写NULL提权分析
  15. 【kernel exploit】CVE-2020-8835:eBPF verifier 错误处理导致越界读写
  16. 【kernel exploit】BPF漏洞挖掘与CVE-2020-27194 整数溢出漏洞
  17. 【kernel exploit】CVE-2021-3156 sudo漏洞分析与利用
  18. 【kernel exploit】CVE-2021-26708 四字节写特殊竞争UAF转化为内核任意读写
  19. 【kernel exploit】CVE-2021-31440 eBPF边界计算错误漏洞
  20. 【kernel exploit】CVE-2021-3490 eBPF 32位边界计算错误漏洞
  21. 【kernel exploit】CVE-2021-22555 2字节堆溢出写0漏洞提权分析
  22. 【kernel exploit】CVE-2021-41073 内核类型混淆漏洞利用分析
  23. 【kernel exploit】CVE-2021-4154 错误释放任意file对象-DirtyCred利用
  24. 【kernel exploit】CVE-2021-42008 6pack协议解码溢出漏洞利用
  25. 【kernel exploit】CVE-2021-43267 TIPC协议MSG_CRYPTO消息溢出利用
  26. 【kernel exploit】CVE-2022-0847 Dirty Pipe 漏洞分析与利用
  27. 【kernel exploit】CVE-2022-0185 File System Context 整数溢出漏洞利用
  28. 【kernel exploit】CVE-2022-0995 堆溢出1比特置1漏洞利用
  29. 【kernel exploit】CVE-2022-1015 nftables 栈溢出漏洞分析与利用
  30. 【kernel exploit】CVE-2022-2588 Double-free 漏洞 DirtyCred 利用
  31. 【kernel exploit】CVE-2022-2602 UNIX_GC错误释放io_uring注册的file结构-UAF
  32. 【kernel exploit】CVE-2022-2639 openvswitch模块kmalloc-0x10000堆溢出利用(pipe_buffer任意文件写技术)
  33. 【kernel exploit】CVE-2022-25636 nftables OOB写堆指针漏洞利用
  34. 从 PWN2OWN CVE-2022-27666 看内核页风水
  35. 【kernel exploit】CVE-2022-32250 nftables错误链表操作导致UAF写的漏洞利用
  36. 【kernel exploit】CVE-2022-34918 nftable堆溢出漏洞利用(list_head任意写)
  37. 【kernel exploit】CVE-2023-2598 io_uring物理内存越界读写(伪造sock对象)
  38. 【kernel exploit】CVE-2024-1086 nftables UAF漏洞-Dirty Pagedirectory利用方法

4. Exploitation Techniques

  1. Dirty Pagetable-一种新的内核漏洞利用技术

5. Tool

  1. syzkaller 源码阅读笔记1(syz-extract & syz-sysgen)
  2. syzkaller 源码阅读笔记2(syz-manager)
  3. syzkaller 源码阅读笔记3(syz-fuzzer)

6. Debug & other techniques

  1. linux双机调试
  2. linux内核漏洞利用初探(1):环境配置
  3. 【linux内核调试】SystemTap使用技巧
  4. 【linux内核调试】使用Ftrace来Hook linux内核函数
  5. 【linux内核调试】ftrace/kprobes/SystemTap内核调试方法对比
  6. 【KVM】KVM学习—实现自己的内核

Reference:

linux-security-papers

linux-kernel-exploitation

GoSSIP_Software Security Group