xorl %eax, %eax

Book: A Guide to Kernel Exploitation

leave a comment »

First of all, sorry for not posting this earlier. I have read this marvelous book already twice and it’s just awesome. A great foreword was written by stealth. Also, it’s great honor for any of us being mentioned in this book by the two wizards of kernel exploitation. Honestly, thank you for everything you’ve done and making the impossible, possible so many times. :)

Title: A Guide to Kernel Exploitation: Attacking the Core
Authors: Enrico Perla and Massimiliano Oldani

Part I: A Journey to Kernel Land
And this is how it starts… ;)
Chapter 1: From User-Land to Kernel-Land Attacks
This is an introduction chapter that presents the importance of operating system’s kernel to the reader and acquaints him/her with concepts such as user/kernel space security, privilege separation etc. The next part is an introduction to the art of exploitation and the difficulties in both user and kernel-land exploitation. Following we can find more information regarding kernel exploitation such as credentials, virtual memory etc. Chapter ends with a discussion about closed versus open source operating systems from the exploit developer’s point of view.

Chapter 2: A Taxonomy of Kernel Vulnerabilities
This is another important subject before moving to the actual exploitation. Its aim is to classify vulnerabilities in a manner that will make easier to identify exactly what they are. To do this, the first section deals with incorrect pointer dereference vulnerabilities starting from the formal standards and manuals’ definitions and moving to real world kernel vulnerabilities that demonstrate such issues. They next move on memory corruption vulnerabilities in both stack and heap and continue to the next section which is about integer issues. Next it’s a really interesting section dealing with race conditions always with real world cases as well as some very helpful figures and the chapter ends with another common bug class which is the logic bugs using the previously detailed approach in this one too.

Chapter 3: Stairway to Successful Kernel Exploitation
And this is where the very juicy part of the journey begins… Starting off with the principles of kernel exploitation, we’re quickly introduced to the architecture level concepts that affect exploitation. Next, we can find a generic model of shellcoding initially in userspace and then in kernel from simple scenarios to multi-stage shellcodes. Of course, in kernel shellcodes the goal is to raise your process’ credentials and return safely from the kernel and that’s what the following sections deal with. The following part is about triggering the various vulnerabilities. Authors discuss the numerous approaches based on the target vulnerability as well as many system details that an attacker must take into account. Finally, there is one of the most important steps for reliable kernel exploitation and this is information gathering. In this section there are some excellent tricks and methods to assist on writing a one-shot kernel exploit.

Part II: The UNIX Family, Mac OS X, and Windows
Different operating systems have different exploitation techniques. This part introduces some of these.
Chapter 4: The UNIX Family
Here you can find information on exploitation of all the major UNIX derivatives including Linux, Solaris and *BSD operating systems. Although there are very interesting information in the previous sections, the really fascinating content starts with the “Practical UNIX Exploitation” section that does what its title says so. After actually exploiting kernel heap memory corruption vulnerabilities on OpenSolaris’ SLAB allocator and Linux’s SLUB allocator they describe Linux kernel’s stack overflows and conclude with the CVE-2009-3234 vulnerability that raised a lot of attention last year.

Chapter 5: Mac OS X
To understand OS X exploitation you should first have knowledge of the components of the XNU hybrid kernel. The first sections of this chapter do just that, they provide details about the Mach, BSD and I/O Kit (aka device drivers) as well as the System Call Tables. All of these are vital for moving on to actual Mac OS X kernel exploitation. Next, it moves on from information on debugging from exploit developer’s perspective to the exploitation and there are also some very neat notes about specific types of vulnerabilities in XNU which include arbitrary memory overwrites, stack based overflows, race conditions, exploitation of kernel’s memory allocator and Snow Leopard specific exploitation tips and tricks.

Chapter 6: Windows
This is a world that I’m quite unfamiliar with and that’s why most of its content was new to me. After a general overview of Windows’ kernel, the authors introduce a vulnerable device driver that is used throughout this chapter to demonstrate Windows kernel exploitation. Starting from information gathering and kernel’s internals, it continues with kernel debugging to finally reach code execution in the kernel’s context. Since Windows operating system uses a different authorization model, the authors describe it in detail and dedicate an entire section on the shellcode development for Windows kernel. At last, vulnerability specific notes about stack based overflows and arbitrary memory overwrites are given.

Part III: Remote Kernel Exploitation
Definitely, the most amazing part of the book…
Chapter 7: Facing the Challenges of Remote
Of course, remote kernel exploitation is much harder because of the lack of various information about the target system. Specifically, this chapter deals with subjects such as lack of exposed information during the information gathering phase, the limited control over the remote victim machine, etc. Then, we can find information about how to achieve remote code execution in such cases by discussing everything from the first instruction that will redirect the execution flow to special payloads.

Chapter 8: Putting It All Together: A Linux Case Study
I won’t say anything here apart from that this is the best exploit analysis I’ve read so far and it deals with the authors’ 2009 Linux kernel remote root exploit on SCTP (for those of you who need a reference check this out). Just sit down and study this chapter!

Part IV: Final Words
Chapter 9: Kernel Evolution: Future Forms of Attack
After identifying some of the secrets of kernel exploitation, authors discuss the defense approaches for kernel vulnerabilities and open up a new world of kernel exploitation which becomes more and more popular over time, this is the virtualization which includes hypervisor and guest operating system kernel security which is still an evolving field from a security point of view.

So, this is the only book dealing with this subject in such an excellent manner. I’m definitely putting it as my No.1 security related book. It’s just one of these great and rare times that a subject which is not so well documented gets such a fantastic reference. Clearly, it’s an amazing resource for anyone interested in kernel level security or more specifically in kernel exploitation. To conclude, as it turns out, they did it. As I was saying on 2009, “I bet that this book would be my favorite” and now it is.
Once again, thank you guys and it’s a great honor seeing my nick in there! :)

Written by xorl

December 13, 2010 at 14:07

Posted in books

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s