Kernel exploiting

Exploitation in this environment is a little special because, first of all is the kernel, so failure means all the system is fucked up, second you have all the particular subsystems (think about memory allocation for example) and mitigations designed specifically for it.

Mitigations

  • Kernel stack cookies
  • Address space layout randomization (KASLR)
  • Supervisor mode access prevention (SMAP): all the userland pages in the page table are set not executable when the system is in kernel mode
  • Kernel page table isolation (KPTI): user-space and kernel-space table are completely separated when in user-mode

KASLR

  • bcoles/kasld A collection of various techniques to bypass KASLR and retrieve the Linux kernel base virtual address on x86 / x86_64 architectures as an unprivileged user.

Fuzzing

Heap

iOS

Papers

KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities

ret2dir: Rethinking Kernel Isolation

KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities