The existing collection of links related to Linux kernel security and exploitation is here:

https://github.com/xairy/linux-kernel-exploitation

New articles, talks, and other updates will be published as new posts on this channel.

Linux kernel exploitation collection updates

Materials updates for September/October.

https://github.com/xairy/linux-kernel-exploitation/commit/bedc708384015c8c5535d6ee947363659fbf4227

Fuzzing for eBPF JIT bugs in the Linux kernel

By Simon Scannell.

https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/

The Linux eBPF verifier, the gift that keeps on giving

An LPE exploit for CVE-2020-27194.

https://haxx.in/blasty-vs-ebpf.c

kasan: boot parameters for hardware tag-based mode

Patchset, part of the Memory Tagging in production effort.

https://lkml.org/lkml/2020/11/4/1338

PLATYPUS: Software-based Power Side-Channel Attacks on x86

Side-channel attack via Intel Running Average Power Limit (RAPL). On Linux RAPL counters are available to unprivileged users, and the attack allows leaking encryption keys from kernel modules and bypassing KASLR.

Info: https://platypusattack.com/
Paper: https://platypusattack.com/platypus.pdf
Fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71

We now have a chat for comments and discussions: @linkersec_chat

Debugging the Kernel with QEMU by Keith Makan

The first post of a potential upcoming Linux kernel exploitation series. Building and running Linux kernel in QEMU. Debugging a kernel module with GDB.

https://blog.k3170makan.com/2020/11/linux-kernel-exploitation-0x0-debugging.html

Finding and exploiting a bug in an old Android phone

Finding and exploiting a Linux kernel bug in an old Motorola phone. A stream, live right now! By Brandon Falk.

Live: https://www.twitch.tv/gamozo
Part 1: https://www.youtube.com/watch?v=g62FXds2pt8
Part 2: https://www.youtube.com/watch?v=qnyFk-f3Koo

Linux Kernel Bug Fixing Mentorship

Himadri Pandya, a Linux kernel bug fixing mentee, describes their experience with fixing a few USB related Linux kernel bugs.

https://himadripandya.me/post/634481719919165440/linux-kernel-bug-fixing-mentorship

Linux Kernel Heap Quarantine testing and review

Kees Cook is testing Linux Kernel Heap Quarantine developed by Alexander Popov (me).

I'll post an article about the kernel heap experiment soon.

Recording: https://youtube.com/watch?v=1sBMwnKNSw0
Patch series:
https://www.openwall.com/lists/kernel-hardening/2020/09/29/2

Samsung NPU (Neural Processing Unit) memory corruption in shared memory parsing

P0 researchers Ben Hawkes and Brandon Azad found a few kernel bugs affecting Galaxy S10 and Galaxy S20. The report includes a proof-of-concept exploit that obtains kernel read/write/execute primitive.

Info: https://bugs.chromium.org/p/project-zero/issues/detail?id=2073
Exploit: https://bugs.chromium.org/p/project-zero/issues/detail?id=2073#c1

Explaining the exploit and rants by Brandon Falk

Brandon Falk summarizes the work done on a bug in an old Motorola phone he found and exploited on stream a couple of days ago.

https://www.youtube.com/watch?v=t-t7D0vQNmo

grsecurity is nominated for a PWNIE Award 2020 as the Lamest Vendor Response

Nomination
https://pwnies.com/nominations/active/lamest-vendor-response/open-source-security-inc-grsecurity-pax

Report
Control-Flow Integrity for the Linux kernel: A Security Evaluation (by Federico Bento): https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf

Brandon Falk continues hacking an old Motorola phone

The first two streams that included writing a kernel exploit to get arbitrary code execution were posted above. These few cover extracting a phone snapshot including all physical memory and register states and running it in QEMU. The streams are quite long, but can be partially skipped through to get an idea of what he's doing.

Stream 3: https://www.youtube.com/watch?v=RLzZPSPI8ds
Stream 4: https://www.youtube.com/watch?v=NJjpkzuc1k4
Stream 5, part 1: https://www.youtube.com/watch?v=6TzdYokXoF8
Stream 5, part 2: https://www.youtube.com/watch?v=hlW8ktQkyPA
Stream 6: https://www.youtube.com/watch?v=kATF_EIltHc

A Systematic Study of Elastic Objects in Kernel Exploitation

A paper that describes an approach to finding suitable slab objects to assist with exploitation of memory corruptions to achieve information leaks.

Paper: https://dl.acm.org/doi/pdf/10.1145/3372297.3423353
Video: https://www.youtube.com/watch?v=yXhH0IJAxkE

Kernel Exploitation With A File System Fuzzer

Another research about fuzzing the kernel via mounting corrupted filesystems. In the first part they describe the approach, but the slides could be better, so it's hard to understand what exactly they're doing (something based on Janus [1]?). The second part discusses the exploitability of some of the found bugs and demos RIP control for one of them.

Slides: https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf
Video: https://www.youtube.com/watch?v=95f1b4FcrQ4

[1] https://taesoo.kim/pubs/2019/xu:janus.pdf

Healer — a kernel fuzzer inspired by syzkaller

Written in Rust. Based on a quick look through the code, seems like a syzkaller clone in early stages of development.

https://github.com/SunHao-0/healer