Dobin 0x73_KernelExploitation.pdf

• Userspace is restricted
• Kernel has access to everything
  • All processes (root processes)
  • All secrets (harddisk password)
  • All security machanisms (SELinux, Seccomp-bpf)
• Kernal attack surface is wied open
  • Containerization (Docker, LXC)

Kernel Mose / Supervisor Mode / Unrestricted Mode / System Mode

• Access to all memory
• Access to special CPU registers

User Mode / Non-Privleged Mode / Restricted Mode

Linux:

• Write LKM (Linux Kernel Module)
• Load as Root
• Redhat 7 -> when secure boot is active all kernel modules must be signed with a private key.

Windows:

• Reboot in unsafe / development mode
• Or: Sign code with Driver Certificate ($$$ to Microsoft)
• -> No Untrusted (unsigned) Code in Windows Kernel!

Difficulies in Exploiting:

• If exploit crash -> Crash the system
• No simpel system() shellcode
  • Spawning new processes is hard
  • Travers memory to find prcess handle, set uid=0
• No brute force
  • E.g ASLR

Easier Exploiting:

• Information disclosure is easier (local)
• Kernal ASLR (kASLR) is hard to implement
• Attack surface is gigantic (local)

Use cases:

•  Mobile (Android, iOS) exploiting / jailbreaking (App -> Root)
• Local privilege escalation (www-data Apache, non-localadmin)
• Pwning the cloud (containerization)
• Rootkits (post breach persistence / hiding)
• Backdoors (gain access again on compromiesed host)
• Cheats (PC, Console)

Attack surface examples:

• Drivers
• File Systems
• Sockets
• Syscalls
• /proc, /sys

Virtual / Logical Address -> Real / Physical Address translation

• Via Page-Table
• Stored in register CR3
• Per-process
  • But kenel always included
• Virtual / Logical Address
  • What the processes see
  • What the kernel sees
• Physical Address:
  • CPU untranslated
  • What the CPU see's on the bus

Page Table: Map virtual addresses to physical

TLB: Translation Lookaside Buffer

• Cache in MMU (Memory Management Unit)