A series of exercise-driven labs, the training explores the process of finding, assessing, and exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture.

About the trainer:

Andrey Konovalov is a security researcher focusing on the Linux kernel.
Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits
to demonstrate the impact. Andrey is a contributor to several security-related Linux kernel
subsystems and tools: KASAN — a fast dynamic bug detector, syzkaller — a production-grade
kernel fuzzer, and Arm Memory Tagging Extension — an exploit mitigation.
Andrey spoke at security conferences such as OffensiveCon, Android Security Symposium,
Linux Security Summit, LinuxCon, and PHDays. Andrey also maintains a collection of Linux
kernel security–related materials and a channel on Linux kernel security.

Training overview:

This training guides researchers through the field of Linux kernel security. In a series of exercise-driven labs, the training explores the process of finding, assessing, and exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture.
Besides providing a foundation for writing Linux kernel exploits, the training covers the no-less important areas of finding kernel bugs and evaluating their security impact. This includes chapters on using dynamic bug-finding tools, writing custom fuzzers, and analyzing crashes.

Training agenda:

Day 1 — Internals, Sanitizers, and fuzzing:
● Internals and debugging: x86-64 architecture refresher; introduction to the Linux kernel; attack surface; types of vulnerabilities; setting up a kernel debugging environment; using GDB to debug the kernel and its modules.
● Detecting bugs: using KASAN to detect and analyze memory corruptions; KASAN internals; reading kernel bug reports; assessing impact of kernel bugs.
● General fuzzing: writing and evaluating kernel-specific fuzzing harnesses; Human-in-the-Loop fuzzing; collecting coverage with KCOV.

Day 2 — Fuzzing with syzkaller and escalating privileges:
● Fuzzing with syzkaller: API-aware fuzzing; coverage-guided fuzzing; using syzkaller; writing syscall descriptions.
● Escalating privileges: ret2usr; overwriting the cred structure; overwriting modprobe_path; kernel stack buffer overflows; arbitrary address execution and arbitrary read/write primitives.

Day 3 — Bypassing mitigations and exploiting slab corruptions:
● Bypassing mitigations: KASLR, SMEP, SMAP, and KPTI bypass techniques; in-kernel Return-Oriented Programming (ROP); out-of-bounds vulnerabilities; information leaks.
● Exploiting basic slab corruptions: slab out-of-bounds and use-after-free vulnerabilities; slab-specific mitigations; slab spraying; data-only exploitation; the unlinking attack.
● Beyond: learning advanced exploitation techniques; useful references.

Student requirements:

● Working C knowledge.
● Familiarity with x86-64 architecture and x86-64 assembly.
● Familiarity with GDB (GNU Debugger).
● Familiarity with common types of vulnerabilities and exploitation techniques for userspace applications.
No knowledge about Linux kernel internals is required.

Hardware/Software requirements

● At least 100 GB of free disk space.
● At least 12 GB of RAM.
● Ability to plug in an untrusted USB drive (relevant for corporate laptops).
● Host OS: Linux (recommended) or Windows.
● VMWare Workstation Player.
● 7-Zip.