Exploiting the Linux Kernel // Andrey Konovalov

Virtual | March 9-15 | 32 Hours

BOOK NOW

ABSTRACT

4-day Linux kernel exploitation frenzy!

This training guides through the field of Linux kernel exploitation. In a series of practical labs, the training explores the process of exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture.

The training is structured as a series of lectures, each followed by one or more hands-on labs. The goal of each lab is to write a Linux kernel exploit following the techniques described during the lecture.

The training starts with beginner topics but proceeds into advanced areas as well. The beginner chapters include learning how to escalate privileges and bypass foundational mitigations in x86-64 kernels. The advanced chapters are primarily dedicated to the modern slab (heap) exploitation techniques and include an in-depth analysis of the kernel allocators' internals.

The core requirement for this training is the ability to read and write C code. Basic knowledge of the x86-64 architecture and assembly, GDB, and the common binary exploitation techniques would also come in handy. There is no need to know any Linux kernel internals: all required parts are covered during the training.

Exploiting the Linux Kernel // Andrey Konovalov

Virtual | March 9-15 | 32 Hours

BOOK NOW

INTENDED AUDIENCE

Security researchers, security engineers, software developers, or anyone interested in the Linux kernel security field.

KEY LEARNING OBJECTIVES

  • Security-relevant Linux kernel internals and attack surface.
  • Kernel privilege escalation techniques.
  • Exploiting stack, global, and slab (heap) vulnerabilities.
  • Exploiting use-after-free and out-of-bounds vulnerabilities.
  • KASLR, SMEP, SMAP, and KPTI bypasses.
  • In-kernel Return-Oriented Programming (ROP).
  • Cross-cache attacks.
  • Data-only kernel exploitation.

COURSE DETAILS

Module 1 — Internals and exploitation basics:

Internals and debugging:

  • x86-64 architecture refresher
  • security-relevant Linux kernel internals and attack surface
  • types of kernel vulnerabilities
  • setting up a debugging environment with VMWare; using GDB to debug kernel and its modules.

Escalating privileges:

  • ret2usr, overwriting cred structure, overwriting modprobe_path
  • arbitrary address execution and arbitrary address read/write primitives.

Module 2 — Mitigation bypasses and slab exploitation basics:

Bypassing mitigations:

  • KASLR, SMEP, SMAP, and KPTI bypass techniques
  • in-kernel Return-Oriented Programming (ROP).

Exploiting slab corruptions:

  • in-depth SLUB internals
  • slab out-of-bounds and use-after-free vulnerabilities
  • slab spraying
  • slab-specific mitigations
  • data-only exploitation.

Module 3 — Modern slab exploitation:

Exploiting more slab corruptions:

  • cache merging and accounting
  • hardened usercopy
  • elastic objects
  • msg_msg-based exploitation techniques.

Module 4 — Advanced exploitation:

  • userfaultfd and FUSE and related exploitation techniques.
  • Cross-cache attacks and related exploitation techniques.
  • Learning more advanced exploitation techniques
  • useful references.

Knowledge Prequisites

  • Working C knowledge.
  • Familiarity with x86-64 architecture and x86-64 assembly.
  • Familiarity with GDB (GNU Debugger).
  • Familiarity with common types of vulnerabilities and exploitation techniques for userspace applications.

No prior knowledge about Linux kernel internals is required.

Hardware Requirements

  • Laptop with x86-64 architecture
  • 100Gb+ disk space
  • 16GB Memory recommended

Software Requirements

  • Host OS: Linux (recommended) or Windows.
  • VMWare Workstation Player or Pro.
  • 7-Zip.
Important: The required tooling is only tested on x86-64-based systems. ARM based systems (e.g., Apple Silicon M1, M2 or M3), or systems based on other architectures are not supported.

YOUR INSTRUCTOR: Andrey Konovalov

Andrey Konovalov is a security researcher focusing on the Linux kernel.

Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact. Andrey contributed to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector; syzkaller — a production-grade kernel fuzzer; and Arm Memory Tagging Extension (MTE) — an exploit mitigation.

Andrey spoke at security conferences such as OffensiveCon, Android Security Symposium, Linux Security Summit, LinuxCon, and PHDays. Andrey also maintains a collection of Linux kernel security–related materials https://github.com/xairy/linux-kernel-exploitation and a channel on Linux kernel security https://x.com/linkersec.

See https://xairy.io for all of Andrey's articles, talks, and projects.

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated