Cartes-fiches

Cartes-fiches 17 Cartes-fiches
Utilisateurs 1 Utilisateurs
Sprache English
Niveau Université
Crée / Actualisé 25.06.2019 / 04.07.2019
Attribution de licence Non précisé
Lien de web
Intégrer
0 Réponses exactes 17 Réponses textes 0 Réponses à choix multiple
Fermer la fenêtre
Attribution de licence: Non précisé

Why exploit the kernel?

  • Userspace is restricted
  • Kernel has access to everything
    • All processes (root processes)
    • All secrets (harddisk password)
    • All security machanisms (SELinux, Seccomp-bpf)
  • Kernal attack surface is wied open
    • Containerization (Docker, LXC)
Fermer la fenêtre

What kernel modes are there?

Kernel Mose / Supervisor Mode / Unrestricted Mode / System Mode

  • Access to all memory
  • Access to special CPU registers

User Mode / Non-Privleged Mode / Restricted Mode

Fermer la fenêtre

How can you get Kernel execution - the dev way?

Linux:

  • Write LKM (Linux Kernel Module)
  • Load as Root
  • Redhat 7 -> when secure boot is active all kernel modules must be signed with a private key.

Windows:

  • Reboot in unsafe / development mode
  • Or: Sign code with Driver Certificate ($$$ to Microsoft)
  • -> No Untrusted (unsigned) Code in Windows Kernel!
Fermer la fenêtre

What are the difficulties in exploiting the kernel?

Difficulies in Exploiting:

  • If exploit crash -> Crash the system
  • No simpel system() shellcode
    • Spawning new processes is hard
    • Travers memory to find prcess handle, set uid=0
  • No brute force
    • E.g ASLR

Easier Exploiting:

  • Information disclosure is easier (local)
  • Kernal ASLR (kASLR) is hard to implement
  • Attack surface is gigantic (local)
Fermer la fenêtre

What are some of the use cases of Kernel Exploiting?

Use cases:

  •  Mobile (Android, iOS) exploiting / jailbreaking (App -> Root)
  • Local privilege escalation (www-data Apache, non-localadmin)
  • Pwning the cloud (containerization)
  • Rootkits (post breach persistence / hiding)
  • Backdoors (gain access again on compromiesed host)
  • Cheats (PC, Console)
Fermer la fenêtre

Name some attack surfaces for Kernel Exploits.

Attack surface examples:

  • Drivers
  • File Systems
  • Sockets
  • Syscalls
  • /proc, /sys
Fermer la fenêtre

How is kernal memory maped into physical memory?

Attribution de licence: Non précisé

Virtual / Logical Address -> Real / Physical Address translation

  • Via Page-Table
  • Stored in register CR3
  • Per-process
    • But kenel always included
  • Virtual / Logical Address
    • What the processes see
    • What the kernel sees
  • Physical Address:
    • CPU untranslated
    • What the CPU see's on the bus
Fermer la fenêtre

What is the TLB?

Attribution de licence: Non précisé

Page Table: Map virtual addresses to physical

TLB: Translation Lookaside Buffer

  • Cache in MMU (Memory Management Unit)