Flashcards

Flashcards 17 Flashcards
Students 1 Students
Sprache English
Level University
Created / Updated 25.06.2019 / 04.07.2019
Licencing Not defined
Weblink
Embed
0 Exact answers 17 Text answers 0 Multiple-choice answers
Close window
Licencing: Not defined

Why exploit the kernel?

  • Userspace is restricted
  • Kernel has access to everything
    • All processes (root processes)
    • All secrets (harddisk password)
    • All security machanisms (SELinux, Seccomp-bpf)
  • Kernal attack surface is wied open
    • Containerization (Docker, LXC)
Close window

What kernel modes are there?

Kernel Mose / Supervisor Mode / Unrestricted Mode / System Mode

  • Access to all memory
  • Access to special CPU registers

User Mode / Non-Privleged Mode / Restricted Mode

Close window

How can you get Kernel execution - the dev way?

Linux:

  • Write LKM (Linux Kernel Module)
  • Load as Root
  • Redhat 7 -> when secure boot is active all kernel modules must be signed with a private key.

Windows:

  • Reboot in unsafe / development mode
  • Or: Sign code with Driver Certificate ($$$ to Microsoft)
  • -> No Untrusted (unsigned) Code in Windows Kernel!
Close window

What are the difficulties in exploiting the kernel?

Difficulies in Exploiting:

  • If exploit crash -> Crash the system
  • No simpel system() shellcode
    • Spawning new processes is hard
    • Travers memory to find prcess handle, set uid=0
  • No brute force
    • E.g ASLR

Easier Exploiting:

  • Information disclosure is easier (local)
  • Kernal ASLR (kASLR) is hard to implement
  • Attack surface is gigantic (local)
Close window

What are some of the use cases of Kernel Exploiting?

Use cases:

  •  Mobile (Android, iOS) exploiting / jailbreaking (App -> Root)
  • Local privilege escalation (www-data Apache, non-localadmin)
  • Pwning the cloud (containerization)
  • Rootkits (post breach persistence / hiding)
  • Backdoors (gain access again on compromiesed host)
  • Cheats (PC, Console)
Close window

Name some attack surfaces for Kernel Exploits.

Attack surface examples:

  • Drivers
  • File Systems
  • Sockets
  • Syscalls
  • /proc, /sys
Close window

How is kernal memory maped into physical memory?

Licencing: Not defined

Virtual / Logical Address -> Real / Physical Address translation

  • Via Page-Table
  • Stored in register CR3
  • Per-process
    • But kenel always included
  • Virtual / Logical Address
    • What the processes see
    • What the kernel sees
  • Physical Address:
    • CPU untranslated
    • What the CPU see's on the bus
Close window

What is the TLB?

Licencing: Not defined

Page Table: Map virtual addresses to physical

TLB: Translation Lookaside Buffer

  • Cache in MMU (Memory Management Unit)