A Guide to Kernel Exploitation

Attacking the Core

By

  • Enrico Perla, B.Sc., Computer Science, University of Torino, M.Sc., Computer Science, Trinity College, Dublin, Kernel Programmer, Oracle
  • Massimiliano Oldani, Security Consultant, Emaze Networks

A Guide to Kernel Exploitation: Attacking the Core discusses the theoretical techniques and approaches needed to develop reliable and effective kernel-level exploits, and applies them to different operating systems, namely, UNIX derivatives, Mac OS X, and Windows. Concepts and tactics are presented categorically so that even when a specifically detailed vulnerability has been patched, the foundational information provided will help hackers in writing a newer, better attack; or help pen testers, auditors, and the like develop a more concrete design and defensive structure. The book is organized into four parts. Part I introduces the kernel and sets out the theoretical basis on which to build the rest of the book. Part II focuses on different operating systems and describes exploits for them that target various bug classes. Part III on remote kernel exploitation analyzes the effects of the remote scenario and presents new techniques to target remote issues. It includes a step-by-step analysis of the development of a reliable, one-shot, remote exploit for a real vulnerabilitya bug affecting the SCTP subsystem found in the Linux kernel. Finally, Part IV wraps up the analysis on kernel exploitation and looks at what the future may hold.
View full description

Audience

Intermediate to advanced pen testers, hackers and OS system designers and developers

 

Book information

  • Published: September 2010
  • Imprint: SYNGRESS
  • ISBN: 978-1-59749-486-1

Reviews

"A very interesting book that not only exposes readers to kernel exploitation techniques, but also deeply motivates the study of operating systems internals, moving such study far beyond simple curiosity."--Golden G. Richard III, Ph.D., Professor of Computer Science, University of New Orleans and CTO, Digital Forensics Solutions, LLC




Table of Contents


Foreword

Preface

Acknowledgments

About the Authors

About the Technical Editor

Part I A Journey to Kernel Land

Chapter 1 From User-Land to Kernel-Land Attacks

Introduction

Introducing the Kernel and the World of Kernel Exploitation

Why Doesn’t My User-Land Exploit Work Anymore?

An Exploit Writer’s View of the Kernel

Open Source versus Closed Source Operating Systems

Summary

Related Reading

Endnote

Chapter 2 A Taxonomy of Kernel Vulnerabilities

Introduction

Uninitialized/Nonvalidated/Corrupted Pointer Dereference

Memory Corruption Vulnerabilities

Integer Issues

Race Conditions

Logic Bugs (a.k.a. the Bug Grab Bag)

Summary

Endnotes

Chapter 3 Stairway to Successful Kernel Exploitation

Introduction

A Look at the Architecture Level

The Execution Step

The Triggering Step

The Information-Gathering Step

Summary

Related Reading

Part II The UNIX Family, Mac OS X, and Windows

Chapter 4 The UNIX Family

Introduction

The Members of the UNIX Family

The Execution Step

Practical UNIX Exploitation

Summary

Endnotes

Chapter 5 Mac OS X

Introduction

An Overview of XNU

Kernel Debugging

Kernel Extensions (Kext)

The Execution Step

Exploitation Notes

Summary

Endnotes

Chapter 6 Windows

Introduction

Windows Kernel Overview

The Execution Step

Practical Windows Exploitation

Summary

Endnotes

Part III Remote Kernel Exploitation

Chapter 7 Facing the Challenges of Remote Kernel Exploitation

Introduction

Attacking Remote Vulnerabilities

Executing the First Instruction

Remote Payloads

Summary

Endnote

Chapter 8 Putting It All Together: A Linux Case Study

Introduction

SCTP FWD Chunk Heap Memory Corruption

Remote Exploitation: An Overall Analysis

Getting the Arbitrary Memory Overwrite Primitive

Installing the Shellcode

Executing the Shellcode

Summary

Related Reading

Endnote

Part IV Final Words

Chapter 9 Kernel Evolution: Future Forms of Attack and Defense

Introduction

Kernel Attacks

Kernel Defense

Beyond Kernel Bugs: Virtualization

Summary

Index