2-DAY TECH TRAINING 3 – Linux Kernel Exploitation Techniques


CAPACITY: 20 pax


EUR1599 (early bird)

EUR1999 (normal)

Early bird registration rate ends on the 13th of January


The number of user-land exploitation countermeasures significantly outweighs the kernel protection solutions. Due to the complexity associated with exploiting user-land vulnerabilities (ASLR, NX, Fortify, RELRO, etc.), Linux kernel with its huge publicly available codebase has become an appealing target for exploit developers. A successful exploitation of a kernel vulnerability allows attackers to elevate privileges bypassing any user-land protections and exploit mitigations.

This course teachers common kernel exploitation techniques on modern Linux distributions. It is designed for students already familiar with user-land exploitation who want to play with the heart of the OS and gain fundamental knowledge required to develop reliable and effective kernel exploits. Even though this course is designed for beginners in kernel exploitation, a number of more advanced topics, such as reliable exploitation of heap vulnerabilities and SMEP bypasses, are discussed.

This course aims to provide the fun, excitement and rewarding experience of getting a # prompt after hours of hard work. There is a “Capture the Flag” contest at the end where you can practice your newly acquired skills in kernel exploitation.

Key learning objectives:

* Introduction to Linux kernel exploit development on modern distributions
* ret2usr attacks
* Exploiting kernel heap and stack vulnerabilities
* Exploiting out of bounds (OOB) vulnerabilities
* Integer signedness bugs and overflows
* Reliable exploitation of use-after-free (UAF) vulnerabilities
* In-kernel return-oriented programming (ROP)
* Practical SMEP (Supervisor Mode Execution Protection) bypasses

Who should attend:

* Reverse engineers, bug hunters and exploit developers
* Information security professionals experienced in user-land exploitation

Prerequisite knowledge:

* Familiarity with x86 architecture
* Linux working proficiency
* C and assembly programming knowledge
* Familiarity with GDB (GNU Debugger)
* Fundamental knowledge of common user-space exploitation techniques (e.g., stack and heap overflows, integer type conversion vulnerabilities and  overflows, etc.)

Hardware/Software requirements:

* Base OS – Windows, OS X, Linux
* Ivy Bridge+ CPU (not essential)
* At least 20GB of free disk space
* At least 4 GB of RAM
* Wireless network card
* VMWare Workstation (v9+) or Fusion (v5+)

Day 1:

* Introduction to Kernel Exploits
– User-space vs kernel-space
– x86(-64) architecture
– User-space processes
– Virtual memory management
– Linux privileges model

* Setting up the debugging environment
– Kernel debugging techniques
– Remote kernel debugging with VMWare and GDB
– Module debugging

* Privilege escalation
– Privilege escalation on modern distributions
– Privilege escalation heuristics
– Introduction to ret2usr attacks

* Arbitrary read/write primitives
– IDT (Interrupt Descriptor Table) overwrites
– Triggering the vulnerability
– Fixating – recovering the kernel state

* Information disclosure
– Kernel memory addressing disclosures
– Memory leaks and addr_limit user/kernel boundary

* Out of bounds (OOB) access vulnerabilities

Day 2:

* Integer vulnerabilities
– Signedness issues
– Integer overflows

* Dynamic memory management/SLAB allocator
– Generic SLAB concepts
– Linux SLUB allocator

* Heap vulnerabilities
– Use-after-free (UAF) vulnerabilities
– Overflowing into adjacent objects
– Off-by-[one/X]

* Reliable UAF exploitation on SMP systems
* Kernel return-oriented programming (ROP)
* Bypassing SMEP (Supervisor Mode Execution Protection)


Location: Training Rooms Date: April 11, 2017 Time: 9:00 am - 6:00 pm Vitaly Nikolenko