Linux Kernel Exploitation (Source Boston 2010)
|
|
|
||||||||||||
Description:
This is the video of the presentation titled "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" given by Jon Oberheide at SOURCE Boston 2010.
Abstract: As userspace applications and services become increasingly hardened against traditional memory corruption exploits, operating system kernels have become a source for abundant exploitation opportunities. In particular, the Linux kernel has recently suffered a bout of severe and high-profile vulnerabilities and drawn ire from the security community for it's mishandling of bugs with known security impact, resulting in a Pwnie award for "Lamest Vendor Response". Given the importance the Linux operating system plays in many enterprise environments, it is necessary to understand the strengths and weaknesses of its kernel's security. In this presentation, we'll explore these strengths and weaknesses by diving deep into the exploitation of vulnerabilities in the Linux kernel. Using real-world vulnerabilities and exploits, we'll detail the traditional classes of kernel vulnerabilities such as control flow hijacking (via stack smashing and SLAB/SLUB/SLOB allocator corruption), invalid userland memory accesses (including NULL pointer dereferences), and information leakage. In addition to traditional bug classes, we'll cover the semantic vulnerabilities inherent in complex operating systems that require deep knowledge of kernel internals to identify and exploit subtle conditions (e.g. desynchronization in the VM subsystem), some of which have previously thought to be unexploitable. We'll also explore the attack surface of the Linux kernel and enumerate the most common vulnerability entry points using historical data. Lastly, we'll release several tools assisting vulndev/auditing and discuss the effectiveness of deployed countermeasures and best current practices for securing the Linux kernel.
Jon Oberheide is the CTO of Scio Security, an Ann Arbor-based startup. He previously attended the University of Michigan for a BS, MS, and PhD in Computer Science and has held positions at Merit Networks and Arbor Networks. Jon has presented at numerous security conferences, both in academia (USENIX Security, WOOT, HotSec, etc) as well as the industry (BlackHat, CanSecWest, NANOG, etc).
Abstract: As userspace applications and services become increasingly hardened against traditional memory corruption exploits, operating system kernels have become a source for abundant exploitation opportunities. In particular, the Linux kernel has recently suffered a bout of severe and high-profile vulnerabilities and drawn ire from the security community for it's mishandling of bugs with known security impact, resulting in a Pwnie award for "Lamest Vendor Response". Given the importance the Linux operating system plays in many enterprise environments, it is necessary to understand the strengths and weaknesses of its kernel's security. In this presentation, we'll explore these strengths and weaknesses by diving deep into the exploitation of vulnerabilities in the Linux kernel. Using real-world vulnerabilities and exploits, we'll detail the traditional classes of kernel vulnerabilities such as control flow hijacking (via stack smashing and SLAB/SLUB/SLOB allocator corruption), invalid userland memory accesses (including NULL pointer dereferences), and information leakage. In addition to traditional bug classes, we'll cover the semantic vulnerabilities inherent in complex operating systems that require deep knowledge of kernel internals to identify and exploit subtle conditions (e.g. desynchronization in the VM subsystem), some of which have previously thought to be unexploitable. We'll also explore the attack surface of the Linux kernel and enumerate the most common vulnerability entry points using historical data. Lastly, we'll release several tools assisting vulndev/auditing and discuss the effectiveness of deployed countermeasures and best current practices for securing the Linux kernel.
Jon Oberheide is the CTO of Scio Security, an Ann Arbor-based startup. He previously attended the University of Michigan for a BS, MS, and PhD in Computer Science and has held positions at Merit Networks and Arbor Networks. Jon has presented at numerous security conferences, both in academia (USENIX Security, WOOT, HotSec, etc) as well as the industry (BlackHat, CanSecWest, NANOG, etc).