Karten 17 Karten
Lernende 1 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 25.06.2019 / 04.07.2019
Lizenzierung Keine Angabe
0 Exakte Antworten 17 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen
Lizenzierung: Keine Angabe

Why exploit the kernel?

  • Userspace is restricted
  • Kernel has access to everything
    • All processes (root processes)
    • All secrets (harddisk password)
    • All security machanisms (SELinux, Seccomp-bpf)
  • Kernal attack surface is wied open
    • Containerization (Docker, LXC)
Fenster schliessen

What kernel modes are there?

Kernel Mose / Supervisor Mode / Unrestricted Mode / System Mode

  • Access to all memory
  • Access to special CPU registers

User Mode / Non-Privleged Mode / Restricted Mode

Fenster schliessen

How can you get Kernel execution - the dev way?


  • Write LKM (Linux Kernel Module)
  • Load as Root
  • Redhat 7 -> when secure boot is active all kernel modules must be signed with a private key.


  • Reboot in unsafe / development mode
  • Or: Sign code with Driver Certificate ($$$ to Microsoft)
  • -> No Untrusted (unsigned) Code in Windows Kernel!
Fenster schliessen

What are the difficulties in exploiting the kernel?

Difficulies in Exploiting:

  • If exploit crash -> Crash the system
  • No simpel system() shellcode
    • Spawning new processes is hard
    • Travers memory to find prcess handle, set uid=0
  • No brute force
    • E.g ASLR

Easier Exploiting:

  • Information disclosure is easier (local)
  • Kernal ASLR (kASLR) is hard to implement
  • Attack surface is gigantic (local)
Fenster schliessen

What are some of the use cases of Kernel Exploiting?

Use cases:

  •  Mobile (Android, iOS) exploiting / jailbreaking (App -> Root)
  • Local privilege escalation (www-data Apache, non-localadmin)
  • Pwning the cloud (containerization)
  • Rootkits (post breach persistence / hiding)
  • Backdoors (gain access again on compromiesed host)
  • Cheats (PC, Console)
Fenster schliessen

Name some attack surfaces for Kernel Exploits.

Attack surface examples:

  • Drivers
  • File Systems
  • Sockets
  • Syscalls
  • /proc, /sys
Fenster schliessen

How is kernal memory maped into physical memory?

Lizenzierung: Keine Angabe

Virtual / Logical Address -> Real / Physical Address translation

  • Via Page-Table
  • Stored in register CR3
  • Per-process
    • But kenel always included
  • Virtual / Logical Address
    • What the processes see
    • What the kernel sees
  • Physical Address:
    • CPU untranslated
    • What the CPU see's on the bus
Fenster schliessen

What is the TLB?

Lizenzierung: Keine Angabe

Page Table: Map virtual addresses to physical

TLB: Translation Lookaside Buffer

  • Cache in MMU (Memory Management Unit)