Kernel Exploitation

Defense Mechanisms

We have conducted research on the defense mechanisms employed by popular operating system kernels. Specifically, we have explored the kernel exploitation mitigations of the following operating systems:

• Linux (version 2.6.37)
• Windows 7
• Mac OS X Snow Leopard (version 10.6.6)
• FreeBSD (version 8.1)
• iOS (Apple's iPhone OS)
• Google's Android

Our results were presented at the Black Hat Europe 2011 Briefings:

• Protecting the Core: Kernel Exploitation Mitigations, Black Hat Europe 2011 Briefings [slides] [white paper]

FreeBSD

We have investigated in depth the exploitation of kernel vulnerabilities on the FreeBSD operating system. Our research on this subject is divided into three parts.

The first part covers the exploitation of kernel stack overflow vulnerabilities. In order to assist vulnerability researchers explore the FreeBSD kernel we have prepared a step-by-step debugging guide in the following article:

• Debugging the FreeBSD kernel on VMware with remote gdb

Our development process for FreeBSD kernel stack exploits has been documented in the article below:

• FreeBSD kernel stack overflow exploit development

Detailed results on the subject, along with a hands-on workshop, were presented at the University of Piraeus Software Libre Society Event #16 on Computer Security:

• FreeBSD Kernel Stack Overflows [slides (in Greek)]

The second part of our research focuses on a security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We demonstrate how UMA overflows can lead to arbitrary code execution in the context of the FreeBSD kernel, and we develop an exploitation methodology for privilege escalation and kernel continuation:

• Exploiting UMA, FreeBSD's Kernel Memory Allocator [Phrack Volume 0x0d, Issue 0x42]

Our definitive all-inclusive work on the subject of FreeBSD kernel exploitation was presented in Barcelona at Black Hat Europe 2010 Briefings. The talk included an exploitation demo of a 0-day vulnerability we had discovered (CVE-2010-2020):

• Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation, Black Hat Europe 2010 Briefings [slides] [white paper] [source code]

The third part of our research consists of vulnerabilities that we have discovered in the FreeBSD kernel and the reliable exploits we have developed for them.

• FreeBSD kernel nfsclient vulnerabilities (CVE-2010-2020) [official advisory] [census advisory] [nfs_mount() exploit] [mountnfs() exploit]

We have also developed exploits for known FreeBSD kernel vulnerabilities, such as the following:

• cve-2008-3531-kernelcode.s: Kernel shellcode for vulnerability CVE-2008-3531
• cve-2008-3531.c: Exploit for vulnerability CVE-2008-3531

Linux

Vulnerabilities we have discovered in the Linux kernel.

• Linux kernel SUNRPC off-by-two buffer overflow [official report] [census advisory]

OpenSolaris

Proof-of-concept exploits for known vulnerabilities of the OpenSolaris kernel.

• cve-2010-0453.c: Exploit for vulnerability CVE-2010-0453