SlideShare uma empresa Scribd logo

Linux Kernel Exploitation

Scio Security
Scio Security

Scio CTO Jon Oberheide at SOURCE Boston, April 2010

Tecnologia
1 de 44
Baixar para ler offline
Linux Kernel Exploitation Earning Its Pwnie a Vuln at a Time Jon Oberheide CTO, Scio Security This document is confidential and is intended solely for use by its original recipient for informational purposes. Neither the document nor any of the information contained in this document may be reproduced or disclosed to other persons without the prior written approval of Scio Security, Inc.
An Ode to My Dear Eyjafjallajokull BEWARE THE CYBER POMPEII http://jon.oberheide.org/files/cyber-pompeii.txt Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 2
The Jono • Jon Oberheide – BS, MS, and PhD (ABD) from U of M – CTO of Scio Security • What we're talking about today – Linux kernel security! Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 3
Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 4
Why the Linux Kernel? • Administrators: – Know your exposure! • Researchers: – Relatively soft target – Lots of interesting vulndev opportunities • Security mechanisms not deployed – Available in external patches, not in mainline – Execution overhead can be nontrivial Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 5
Linus Wins a Pwnie! • Good: distro in charge of security! • Bad: distro in charge of security! • Eugene++ Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 6
Bug Misclassification • Many have non-obvious security impact – Often “silently” fixed – Intentional or not, same impact • Miscommunication between devs/distros • Attackers may classify better! – Unfortunate side-effect of open development Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 7
Embedded Devices: Mobile! • My mobile phone! – Android, Bada, MeeGo, WebOS – 1990s exploitability – Lack of user patching – Numerous untrusted users (aka apps) • Third-party “sleeper” apps – Legitimate looking app/game – Get solid user base of installs – Wait for privesc, deliver payload, rootkit! – Easy to win race against provider Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 8
Android Privilege Escalation • Zinx port of spender's wunderbar_emporium [1,2] • Didn't have MMAP_MIN_ADDR • Map get_root() object code at 0x0 • Trigger sock_sendpage() NULL func ptr deref • Root archived! • Rootkit loading • CONFIG_MODULES=y • /dev/mem unrestricted Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation
Embedded Devices: TVs! • My LG TV! – MIPS box – Flash malicious firmware via USB – Pop root shell via serial – Now with built-in ethernet/wifi........ Linux version 2.6.26 (gunhoon@swfarm-l1) (gcc version 3.4.3 (MontaVista 3.4.3- 25.0.70.0501961 2005-12-18)) #108 PREEMPT Wed Nov 4 09:22:14 KST 2009 Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 10
Kernel vs. Userspace Traditional memory corruption vulns are boring! • Userspace increasingly hardened – NX + ASLR + PIE + RELRO + canaries = hard. • Non-traditional vulns more interesting – A couple in userspace (eg. udev vuln [3,4]) – A whole lot more in kernel space – Require semantic knowledge of a particular subsystem – Pros: interesting vulndev; Cons: non-reusable patterns > 60% of local privilege escalations are not traditional stack/heap memory corruption Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 11
Kernel vs. Userspace THE INFOSEC Advanced Pompeii THERMOMETER!!! Threats “CYBER WAR” USERSPACE KERNEL SQUIRRELS VULNS VULNS OLD AND TIRED HOT-POCKET WARM THE HOTNESS Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 12
Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 13
Vulnerabilities By Year Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 14
2005?!? • 2.6.11 – first release of 2005 – Start of the 2.6.x.y stable versioning scheme Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 15
Vulnerability Severity Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 16
Vulnerabilities by SLOC Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 17
Other OS Kernel Vulns 2009 Medium CVSS Severity 2009 High CVSS Severity The Linux kernel averaged > 2 vulns/week for all of 2009. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 18
Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 19
Exploit Vectors • Remote – Fairly rare – sgrakkyu's sctp_houdini [5], Julien's madwifi [6] – Interrupt context issues [7] • Local – Quite common – Mostly in form of privilege escalation – Kernel has a fairly large attack surface Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 20
Kernel Attack Surface setuid ioctls sockopts mremap caps brk ptrace SYSTEM CALLS vmsplice CREDENTIALS MM SUBSYSTEM madwifi compat DEVICE DRIVERS KERNEL ARCHITECTURE e1000e kvm NETWORK CHAR DEVICES netfilter FILESYSTEMS tty sctp raw mac80211 reiserfs cifs binfmt proc Contrary to popular belief, most vulns are not in device drivers. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 21
Let's Look at a Recent Example • Vulnerability in ReiserFS filesystem [8] • .reiserfs_priv fails to enforce perms – A virtual path, you won't see this is “ls -la /” – Internal filesystem usage • Including extended attribute (xattr) storage – We can write xattrs for arbitrary files! Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 22
ReiserFS Exploit • Ok, arbitrary xattrs, how to escalate? – One xattr use: POSIX file capabilities – Finer-grained privs than setuid bit (eg. CAP_NET_RAW) • CAP_SETUID sounds good! – Let's apply it to our own shell! • Ok, how to get inode/object id of shell? – Compile shell, getdents(), set dummy xattr, getdents() – Write out CAP_SETUID xattr, exec the shell, root! • Demo against fully patched Ubuntu http://jon.oberheide.org/files/team-edward.py Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 23
What's Interesting Here? • No memory corruption here! – Just a bit of fs/xattr/caps knowledge – Not a repeatable bug class / exploit pattern • Representative of many Linux kernel vulns – Lots of one-off logic bugs like this one – But we also have the “standard” classes, too Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 24
Kernel Stack Smashing • If you can do userland, you can do kernel • We have existing protection mechanisms – Stack canaries, bounds checking, etc – But, how effective in kernel space? – Not so great... [9,10] Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 25
FORTIFY_SOURCE Coverage • FORTIFY_SOURCE – Compile-time bounds checking on potentially unsafe stack operations (strcpy/memcpy/etc) • gcc __builtin_object_size [11] $ make allyesconfig && make $ cat success.txt | wc ­l • Total: 5725 +11638 = 17363 5725 $ cat fail­o­rama.txt | wc ­l • Coverage: 5725 / 17363 = 32.9% 11638 GCC's FORTIFY_SOURCE covers < 1/3 of bounds checking cases. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 26
Kernel Heap Overflows • SLAB/SLUB/SLOB allocators – SLUB is default on current kernels – Provides the kmalloc() family • Must reads: – tioctl/sctp_houdini.c [12,5] – Larry H's Phrack 66 article [13] • KERNHEAP Heap Protection [14] – Metadata protection, safe unlinking, etc Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 27
Userland Pointer Dereference • Often misclassified as NULL ptr derefs – NULL is just a specific case (address 0x0) – Happens to be more common due to programming mistakes • Shared VM architectures – Userspace and kernel in single VM space – Unsafe deference of userspace pointers by kernel code – Usually FP deref or data control converted later Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 28
Traditional Exploitation Pattern • Assuming NULL deref of FP • Set up your payload – mmap(0, …) – memcpy(0, shellcode, sizeof(shellcode)); • Trigger the NULL deref – sendfile(fd1, fd2, NULL, 4096); • See enlightenment framework [15] – Just fill in your prepare/trigger functions and boom! Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 29
An Example From...OpenBSD?!? • Ok, it's not Linux, I'm cheating! – But it's multi-stage, kind of cute • getsockopt() [16] – NULL dereference – Controlled write of 0x1 Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 30
Exploit Procedure USERSPACE 1. Call mmap to map zero page KERNEL 2. Set up fake mbuf at 0x0 mbuf->data should point to address of a syscall table entry 3. Call getsockopt to trigger vuln 4. Kernel accesses fake mbuf located at 0x0, writes value 0x1 to address in mbuf->data, 5. Set up root-getting shellcode overwriting syscall entry at address 0x1 6. Call syscall that we overwrote 7. Kernel derefs system call to 0x1 and executes shellcode ROOT! located there. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 31
Protection Against User Derefs • /proc/sys/vm/mmap_min_addr – Can't mmap to addrs < mmap_min_addr – Blocks NULL ptr derefs, but not all user derefs – Has been bypassed multiple times [17] • UDEREF in grsecurity [18] – Segmentation on i386 – Just released x64 support (spender/pipacs) [19] Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 32
Memory Disclosure • Leak sensitive kernel memory to userspace – Commonly through unbounded copy_to_user() • Pair up info leak w/setuid exploit – Leak task_struct/vma information for ASLR bypass • Pair up info leak w/kernel exploit – Leak stack canary value from task_struct Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 33
Memory Disclosure Example 1. len is attacker controlled 2. no upper bounds check 3. unbounded copy_to_user SCTP getsockopt() kernel memory disclosure [20] Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 34
Race Conditions • Comes in many forms: – eg. ptrace_attach, user copies • Hard on UP, easier on SMP – Force kernel to sleep/reschedule on UP – Great work from sgrakkyu and twiz [21] • Ex: sendmsg() multiple user copy vuln Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 35
Race Condition Example [2] copy length value from userspace [3] sanity check length value RACE WINDOW! [6] re-copy length value from userspace [7] perform copy_from_user with length value Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 36
MM Desynchronization • Confusing the MM subsystem – Desynchronize book-keeping state of MM from what the actual state is in memory • PS3 hack analogy [22] – George Hotz, OS ↔ hypervisor – Glitching the memory bus during memory mappings • We can do the same for the kernel MM – But of course between userspace ↔ OS – Our “glitching” is just leveraging a book-keeping bug Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 37
MM Desynchronization • Some classic exploits from isec.pl guys – mremap/unmap/do_brk [23,24,25] • Hugely simplified do_brk – Expand heap via brk(2) – Lack of addr sanity checking – Expand past TASK_SIZE – mprotect() to alter MMU prot – Kernel confused..thinks it's part of heap, approves! – Kernel memory now writable by userspace Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 38
Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 39
What You Can Do! • Researchers: – Spend more time in kernel space! – There's much fun to be had! • Administrators – Distros are conservative, poke them! – Lots of hardening you can do on your own – grsecurity / PaX / KERNHEAP patchsets [26,14] – Most importantly, support/sponsor these guys for their hard work Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 40
Auditing With checksec.sh • checksec.sh – Tobias Klein [27] – ASLR, RELRO, NX, PIE, canaries, etc • Now with kernel support! – Checks for a number of kernel hardening features Patched version w/kernel support: http://jon.oberheide.org/files/checksec.sh Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 41
Take Away • Message is not: “Don't use Linux, it's insecure, lolz!” • Security is not measured in absolutes – Risk management → uncertainty management “There are known knowns. There are things we know that we know. There are known unknowns. That is to say there are things that we now know we don't know. But there are also unknown unknowns. There are things we do not know we don't know.” -- Donald Rumsfield Or, more concisely: “Now you know, and knowing is half the battle!” -- GI JOE Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 42
Thank you QUESTIONS? Jon Oberheide / @jonoberheide / jono@sciosecurity.com Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 43
References [1] http://zenthought.org/content/project/flashrec [2] http://www.grsecurity.net/~spender/wunderbar_emporium.tgz [3] http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-cve.html [4] http://jon.oberheide.org/files/cve-2009-1185.c [5] http://sgrakkyu.antifork.org/sctp_houdini.c [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332 [7] http://www.springerlink.com/content/m2783777l47t3836/ [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1146 [9] http://lwn.net/Articles/342182/ [10] http://www.grsecurity.net/~spender/fortify_source_30_percent_coverage_sucks.patch [11] http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html [12] http://sgrakkyu.antifork.org/tiocl_houdini.c [13] http://www.phrack.org/issues.html?issue=66&id=15 [14] http://www.subreption.com/kernheap/ [15] http://www.grsecurity.net/~spender/enlightenment.tgz [16] http://marc.info/?l=openbsd-cvs&m=125676466108709&w=2 [17] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html [18] http://www.grsecurity.net/~spender/uderef.txt [19] http://www.grsecurity.net/pipermail/grsecurity/2010-April/001024.html [20] http://jon.oberheide.org/files/cve-2008-4113.c [21] http://www.phrack.org/issues.html?issue=64&id=6 [22] http://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/ [23] http://isec.pl/vulnerabilities/isec-0012-do_brk.txt [24] http://isec.pl/vulnerabilities/isec-0013-mremap.txt [25] http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt [26] http://grsecurity.net/features.php [27] http://www.trapkit.de/tools/checksec.html Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 44

Recomendados

Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
Vitaly Nikolenko
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
Opersys inc.
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
ScyllaDB
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 

Recomendados

Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
Vitaly Nikolenko
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
Opersys inc.
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
ScyllaDB
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 
Unix 1st sem lab programs a - VTU Karnataka
Unix 1st sem lab programs a - VTU KarnatakaUnix 1st sem lab programs a - VTU Karnataka
Unix 1st sem lab programs a - VTU Karnataka
iCreateWorld
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
CODE BLUE
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
Sam Bowne
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Cpu performance matrix
Cpu performance matrixCpu performance matrix
Cpu performance matrix
Rehman baig
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
Chanchal Dabriya
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
Windows internals
Windows internalsWindows internals
Windows internals
Piyush Jain
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Improving of software processes
Improving of software processesImproving of software processes
Improving of software processes
REHMAT ULLAH
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Introduction to Kernel and Device Drivers
Introduction to Kernel and Device DriversIntroduction to Kernel and Device Drivers
Introduction to Kernel and Device Drivers
RajKumar Rampelli
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
Lec 01_Linux System Administration (1).pptx
Lec 01_Linux System Administration (1).pptxLec 01_Linux System Administration (1).pptx
Lec 01_Linux System Administration (1).pptx
ShabanaShafi3
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
A particle filter based scheme for indoor tracking on an Android Smartphone
A particle filter based scheme for indoor tracking on an Android SmartphoneA particle filter based scheme for indoor tracking on an Android Smartphone
A particle filter based scheme for indoor tracking on an Android Smartphone
Divye Kapoor
 
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanityKernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Anne Nicolas
 

Mais conteúdo relacionado

Mais procurados

[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
CODE BLUE
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 

Mais procurados (20)

Unix 1st sem lab programs a - VTU Karnataka
Unix 1st sem lab programs a - VTU KarnatakaUnix 1st sem lab programs a - VTU Karnataka
Unix 1st sem lab programs a - VTU Karnataka
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Cpu performance matrix
Cpu performance matrixCpu performance matrix
Cpu performance matrix
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
Windows internals
Windows internalsWindows internals
Windows internals
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Improving of software processes
Improving of software processesImproving of software processes
Improving of software processes
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Introduction to Kernel and Device Drivers
Introduction to Kernel and Device DriversIntroduction to Kernel and Device Drivers
Introduction to Kernel and Device Drivers
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
 
Lec 01_Linux System Administration (1).pptx
Lec 01_Linux System Administration (1).pptxLec 01_Linux System Administration (1).pptx
Lec 01_Linux System Administration (1).pptx
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 

Destaque

The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
Kevin Lo
 
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
Peter Griffin
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
fisher.w.y
 

Destaque (20)

A particle filter based scheme for indoor tracking on an Android Smartphone
A particle filter based scheme for indoor tracking on an Android SmartphoneA particle filter based scheme for indoor tracking on an Android Smartphone
A particle filter based scheme for indoor tracking on an Android Smartphone
 
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanityKernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
 
Cybermania Mains
Cybermania MainsCybermania Mains
Cybermania Mains
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Rootkit 102 - Kernel-Based Rootkit
Rootkit 102 - Kernel-Based RootkitRootkit 102 - Kernel-Based Rootkit
Rootkit 102 - Kernel-Based Rootkit
 
Cybermania Prelims
Cybermania PrelimsCybermania Prelims
Cybermania Prelims
 
Linux performance
Linux performanceLinux performance
Linux performance
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
 
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
Scio
ScioScio
Scio
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
 
Part 04 Creating a System Call in Linux
Part 04 Creating a System Call in LinuxPart 04 Creating a System Call in Linux
Part 04 Creating a System Call in Linux
 
了解网络
了解网络了解网络
了解网络
 
Debugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerDebugging Applications with GNU Debugger
Debugging Applications with GNU Debugger
 
Nutrition and It's Importance
Nutrition and It's ImportanceNutrition and It's Importance
Nutrition and It's Importance
 
了解Cpu
了解Cpu了解Cpu
了解Cpu
 
The Stack Frame
The Stack FrameThe Stack Frame
The Stack Frame
 

Semelhante a Linux Kernel Exploitation

Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talk
dotCloud
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
How to Run Solr on Docker and Why
How to Run Solr on Docker and WhyHow to Run Solr on Docker and Why
How to Run Solr on Docker and Why
Sematext Group, Inc.
 
108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012
wtreterte
 

Semelhante a Linux Kernel Exploitation (20)

淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design Overview
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talk
 
Linux on System z Update: Current & Future Linux on System z Technology
Linux on System z Update: Current & Future Linux on System z TechnologyLinux on System z Update: Current & Future Linux on System z Technology
Linux on System z Update: Current & Future Linux on System z Technology
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using Buildroot
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix Drivers
 
History of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly beanHistory of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly bean
 
introduction.pdf
introduction.pdfintroduction.pdf
introduction.pdf
 
Microkernels and Beyond
Microkernels and BeyondMicrokernels and Beyond
Microkernels and Beyond
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library Hypervisor
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
 
How to Run Solr on Docker and Why
How to Run Solr on Docker and WhyHow to Run Solr on Docker and Why
How to Run Solr on Docker and Why
 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linux
 
108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Linux Kernel Exploitation

  • 1. Linux Kernel Exploitation Earning Its Pwnie a Vuln at a Time Jon Oberheide CTO, Scio Security This document is confidential and is intended solely for use by its original recipient for informational purposes. Neither the document nor any of the information contained in this document may be reproduced or disclosed to other persons without the prior written approval of Scio Security, Inc.
  • 2. An Ode to My Dear Eyjafjallajokull BEWARE THE CYBER POMPEII http://jon.oberheide.org/files/cyber-pompeii.txt Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 2
  • 3. The Jono • Jon Oberheide – BS, MS, and PhD (ABD) from U of M – CTO of Scio Security • What we're talking about today – Linux kernel security! Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 3
  • 4. Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 4
  • 5. Why the Linux Kernel? • Administrators: – Know your exposure! • Researchers: – Relatively soft target – Lots of interesting vulndev opportunities • Security mechanisms not deployed – Available in external patches, not in mainline – Execution overhead can be nontrivial Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 5
  • 6. Linus Wins a Pwnie! • Good: distro in charge of security! • Bad: distro in charge of security! • Eugene++ Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 6
  • 7. Bug Misclassification • Many have non-obvious security impact – Often “silently” fixed – Intentional or not, same impact • Miscommunication between devs/distros • Attackers may classify better! – Unfortunate side-effect of open development Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 7
  • 8. Embedded Devices: Mobile! • My mobile phone! – Android, Bada, MeeGo, WebOS – 1990s exploitability – Lack of user patching – Numerous untrusted users (aka apps) • Third-party “sleeper” apps – Legitimate looking app/game – Get solid user base of installs – Wait for privesc, deliver payload, rootkit! – Easy to win race against provider Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 8
  • 9. Android Privilege Escalation • Zinx port of spender's wunderbar_emporium [1,2] • Didn't have MMAP_MIN_ADDR • Map get_root() object code at 0x0 • Trigger sock_sendpage() NULL func ptr deref • Root archived! • Rootkit loading • CONFIG_MODULES=y • /dev/mem unrestricted Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation
  • 10. Embedded Devices: TVs! • My LG TV! – MIPS box – Flash malicious firmware via USB – Pop root shell via serial – Now with built-in ethernet/wifi........ Linux version 2.6.26 (gunhoon@swfarm-l1) (gcc version 3.4.3 (MontaVista 3.4.3- 25.0.70.0501961 2005-12-18)) #108 PREEMPT Wed Nov 4 09:22:14 KST 2009 Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 10
  • 11. Kernel vs. Userspace Traditional memory corruption vulns are boring! • Userspace increasingly hardened – NX + ASLR + PIE + RELRO + canaries = hard. • Non-traditional vulns more interesting – A couple in userspace (eg. udev vuln [3,4]) – A whole lot more in kernel space – Require semantic knowledge of a particular subsystem – Pros: interesting vulndev; Cons: non-reusable patterns > 60% of local privilege escalations are not traditional stack/heap memory corruption Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 11
  • 12. Kernel vs. Userspace THE INFOSEC Advanced Pompeii THERMOMETER!!! Threats “CYBER WAR” USERSPACE KERNEL SQUIRRELS VULNS VULNS OLD AND TIRED HOT-POCKET WARM THE HOTNESS Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 12
  • 13. Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 13
  • 14. Vulnerabilities By Year Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 14
  • 15. 2005?!? • 2.6.11 – first release of 2005 – Start of the 2.6.x.y stable versioning scheme Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 15
  • 16. Vulnerability Severity Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 16
  • 17. Vulnerabilities by SLOC Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 17
  • 18. Other OS Kernel Vulns 2009 Medium CVSS Severity 2009 High CVSS Severity The Linux kernel averaged > 2 vulns/week for all of 2009. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 18
  • 19. Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 19
  • 20. Exploit Vectors • Remote – Fairly rare – sgrakkyu's sctp_houdini [5], Julien's madwifi [6] – Interrupt context issues [7] • Local – Quite common – Mostly in form of privilege escalation – Kernel has a fairly large attack surface Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 20
  • 21. Kernel Attack Surface setuid ioctls sockopts mremap caps brk ptrace SYSTEM CALLS vmsplice CREDENTIALS MM SUBSYSTEM madwifi compat DEVICE DRIVERS KERNEL ARCHITECTURE e1000e kvm NETWORK CHAR DEVICES netfilter FILESYSTEMS tty sctp raw mac80211 reiserfs cifs binfmt proc Contrary to popular belief, most vulns are not in device drivers. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 21
  • 22. Let's Look at a Recent Example • Vulnerability in ReiserFS filesystem [8] • .reiserfs_priv fails to enforce perms – A virtual path, you won't see this is “ls -la /” – Internal filesystem usage • Including extended attribute (xattr) storage – We can write xattrs for arbitrary files! Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 22
  • 23. ReiserFS Exploit • Ok, arbitrary xattrs, how to escalate? – One xattr use: POSIX file capabilities – Finer-grained privs than setuid bit (eg. CAP_NET_RAW) • CAP_SETUID sounds good! – Let's apply it to our own shell! • Ok, how to get inode/object id of shell? – Compile shell, getdents(), set dummy xattr, getdents() – Write out CAP_SETUID xattr, exec the shell, root! • Demo against fully patched Ubuntu http://jon.oberheide.org/files/team-edward.py Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 23
  • 24. What's Interesting Here? • No memory corruption here! – Just a bit of fs/xattr/caps knowledge – Not a repeatable bug class / exploit pattern • Representative of many Linux kernel vulns – Lots of one-off logic bugs like this one – But we also have the “standard” classes, too Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 24
  • 25. Kernel Stack Smashing • If you can do userland, you can do kernel • We have existing protection mechanisms – Stack canaries, bounds checking, etc – But, how effective in kernel space? – Not so great... [9,10] Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 25
  • 26. FORTIFY_SOURCE Coverage • FORTIFY_SOURCE – Compile-time bounds checking on potentially unsafe stack operations (strcpy/memcpy/etc) • gcc __builtin_object_size [11] $ make allyesconfig && make $ cat success.txt | wc ­l • Total: 5725 +11638 = 17363 5725 $ cat fail­o­rama.txt | wc ­l • Coverage: 5725 / 17363 = 32.9% 11638 GCC's FORTIFY_SOURCE covers < 1/3 of bounds checking cases. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 26
  • 27. Kernel Heap Overflows • SLAB/SLUB/SLOB allocators – SLUB is default on current kernels – Provides the kmalloc() family • Must reads: – tioctl/sctp_houdini.c [12,5] – Larry H's Phrack 66 article [13] • KERNHEAP Heap Protection [14] – Metadata protection, safe unlinking, etc Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 27
  • 28. Userland Pointer Dereference • Often misclassified as NULL ptr derefs – NULL is just a specific case (address 0x0) – Happens to be more common due to programming mistakes • Shared VM architectures – Userspace and kernel in single VM space – Unsafe deference of userspace pointers by kernel code – Usually FP deref or data control converted later Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 28
  • 29. Traditional Exploitation Pattern • Assuming NULL deref of FP • Set up your payload – mmap(0, …) – memcpy(0, shellcode, sizeof(shellcode)); • Trigger the NULL deref – sendfile(fd1, fd2, NULL, 4096); • See enlightenment framework [15] – Just fill in your prepare/trigger functions and boom! Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 29
  • 30. An Example From...OpenBSD?!? • Ok, it's not Linux, I'm cheating! – But it's multi-stage, kind of cute • getsockopt() [16] – NULL dereference – Controlled write of 0x1 Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 30
  • 31. Exploit Procedure USERSPACE 1. Call mmap to map zero page KERNEL 2. Set up fake mbuf at 0x0 mbuf->data should point to address of a syscall table entry 3. Call getsockopt to trigger vuln 4. Kernel accesses fake mbuf located at 0x0, writes value 0x1 to address in mbuf->data, 5. Set up root-getting shellcode overwriting syscall entry at address 0x1 6. Call syscall that we overwrote 7. Kernel derefs system call to 0x1 and executes shellcode ROOT! located there. Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 31
  • 32. Protection Against User Derefs • /proc/sys/vm/mmap_min_addr – Can't mmap to addrs < mmap_min_addr – Blocks NULL ptr derefs, but not all user derefs – Has been bypassed multiple times [17] • UDEREF in grsecurity [18] – Segmentation on i386 – Just released x64 support (spender/pipacs) [19] Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 32
  • 33. Memory Disclosure • Leak sensitive kernel memory to userspace – Commonly through unbounded copy_to_user() • Pair up info leak w/setuid exploit – Leak task_struct/vma information for ASLR bypass • Pair up info leak w/kernel exploit – Leak stack canary value from task_struct Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 33
  • 34. Memory Disclosure Example 1. len is attacker controlled 2. no upper bounds check 3. unbounded copy_to_user SCTP getsockopt() kernel memory disclosure [20] Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 34
  • 35. Race Conditions • Comes in many forms: – eg. ptrace_attach, user copies • Hard on UP, easier on SMP – Force kernel to sleep/reschedule on UP – Great work from sgrakkyu and twiz [21] • Ex: sendmsg() multiple user copy vuln Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 35
  • 36. Race Condition Example [2] copy length value from userspace [3] sanity check length value RACE WINDOW! [6] re-copy length value from userspace [7] perform copy_from_user with length value Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 36
  • 37. MM Desynchronization • Confusing the MM subsystem – Desynchronize book-keeping state of MM from what the actual state is in memory • PS3 hack analogy [22] – George Hotz, OS ↔ hypervisor – Glitching the memory bus during memory mappings • We can do the same for the kernel MM – But of course between userspace ↔ OS – Our “glitching” is just leveraging a book-keeping bug Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 37
  • 38. MM Desynchronization • Some classic exploits from isec.pl guys – mremap/unmap/do_brk [23,24,25] • Hugely simplified do_brk – Expand heap via brk(2) – Lack of addr sanity checking – Expand past TASK_SIZE – mprotect() to alter MMU prot – Kernel confused..thinks it's part of heap, approves! – Kernel memory now writable by userspace Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 38
  • 39. Agenda • Why the Linux Kernel? • A History of Vulns • Vulnerability Classes • Wrap-up Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 39
  • 40. What You Can Do! • Researchers: – Spend more time in kernel space! – There's much fun to be had! • Administrators – Distros are conservative, poke them! – Lots of hardening you can do on your own – grsecurity / PaX / KERNHEAP patchsets [26,14] – Most importantly, support/sponsor these guys for their hard work Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 40
  • 41. Auditing With checksec.sh • checksec.sh – Tobias Klein [27] – ASLR, RELRO, NX, PIE, canaries, etc • Now with kernel support! – Checks for a number of kernel hardening features Patched version w/kernel support: http://jon.oberheide.org/files/checksec.sh Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 41
  • 42. Take Away • Message is not: “Don't use Linux, it's insecure, lolz!” • Security is not measured in absolutes – Risk management → uncertainty management “There are known knowns. There are things we know that we know. There are known unknowns. That is to say there are things that we now know we don't know. But there are also unknown unknowns. There are things we do not know we don't know.” -- Donald Rumsfield Or, more concisely: “Now you know, and knowing is half the battle!” -- GI JOE Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 42
  • 43. Thank you QUESTIONS? Jon Oberheide / @jonoberheide / jono@sciosecurity.com Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 43
  • 44. References [1] http://zenthought.org/content/project/flashrec [2] http://www.grsecurity.net/~spender/wunderbar_emporium.tgz [3] http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-cve.html [4] http://jon.oberheide.org/files/cve-2009-1185.c [5] http://sgrakkyu.antifork.org/sctp_houdini.c [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332 [7] http://www.springerlink.com/content/m2783777l47t3836/ [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1146 [9] http://lwn.net/Articles/342182/ [10] http://www.grsecurity.net/~spender/fortify_source_30_percent_coverage_sucks.patch [11] http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html [12] http://sgrakkyu.antifork.org/tiocl_houdini.c [13] http://www.phrack.org/issues.html?issue=66&id=15 [14] http://www.subreption.com/kernheap/ [15] http://www.grsecurity.net/~spender/enlightenment.tgz [16] http://marc.info/?l=openbsd-cvs&m=125676466108709&w=2 [17] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html [18] http://www.grsecurity.net/~spender/uderef.txt [19] http://www.grsecurity.net/pipermail/grsecurity/2010-April/001024.html [20] http://jon.oberheide.org/files/cve-2008-4113.c [21] http://www.phrack.org/issues.html?issue=64&id=6 [22] http://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/ [23] http://isec.pl/vulnerabilities/isec-0012-do_brk.txt [24] http://isec.pl/vulnerabilities/isec-0013-mremap.txt [25] http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt [26] http://grsecurity.net/features.php [27] http://www.trapkit.de/tools/checksec.html Jon Oberheide – SOURCE Boston 2010 – Linux Kernel Exploitation Slide # 44