Improving the Exploit for CVE-2021-26708 in the Linux Kernel to Bypass LKRG

Conference: ZeroNights 2021

Date: 25.08.2021

Slides     Video


Description

CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. These vulnerabilities were discovered and fixed by Alexander Popov. Earlier, he demonstrated how to exploit them for local privilege escalation on Fedora 33 Server for x86_64. And in this talk, Alexander will describe how he improved this exploit to bypass the Linux Kernel Runtime Guard (LKRG).


Сила четырех байтов: эксплуатация уязвимости CVE-2021-26708 в ядре Linux

Conference: Positive Hack Days 10

Date: 20.05.2021

Slides     Video


Description

В январе 2021 года Александр обнаружил и устранил пять уязвимостей в реализации виртуальных сокетов ядра Linux. Этим уязвимостям был присвоен идентификатор CVE-2021-26708. Докладчик детально расскажет об эксплуатации одной них для локального повышения привилегий на Fedora 33 Server для платформы x86_64. Исследователь продемонстрирует, как с помощью небольшой ошибки доступа к памяти получить контроль над всей операционной системой и при этом обойти средства обеспечения безопасности платформы.


Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel

Conference: Zer0Con 2021

Date: 09.04.2021

Slides     Video


Description

CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. These vulnerabilities were discovered and fixed by Alexander Popov. In this talk, he will describe how to exploit them for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP. Alexander will demonstrate an artful way of turning very limited kernel memory corruption into a powerful weapon.


Following the Linux Kernel Defence Map

Conference: Linux Plumbers Conference 2020

Date: 25.08.2020

Slides     Video


Description

Linux kernel security is a very complex topic. To learn it, I created a Linux Kernel Defence Map showing the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, defence technologies.

These kernel defence technologies have the corresponding Kconfig options. A lot of them are not enabled by the major Linux distributions. So I created a kconfig-hardened-check tool that can help to examine security-related options in your Linux kernel config.

In this short talk we will follow the Linux Kernel Defence Map and explore the kconfig-hardened-check tool.


Panel Discussion: What is Lacking in Linux Security and What Are or Should We be Doing about This

Conference: Linux Security Summit North America 2020

Date: 01.07.2020

Video


Participants: Elena Reshetova (Intel), Allison Marie Naaktgeboren (PhD Student), Alexander Popov (Positive Technologies), Mimi Zohar (IBM), Kees Cook (Google)


Exploiting a Linux Kernel Vulnerability in the V4L2 Subsystem

Conference: OffensiveCon 2020

Date: 15.02.2020

Slides     Video


Description

CVE-2019-18683 refers to a bunch of 5-year old race conditions in the V4L2 subsystem of the Linux kernel which were fixed by Alexander Popov at the end of 2019. In this talk he will describe the PoC exploit of these issues for x86_64. Alexander will explain the effective method of hitting the race condition and show how to gain local privilege escalation from the kernel thread context bypassing SMEP and SMAP on Ubuntu Server 18.04.


Фаззинг ядра Linux на практике

Conference: ISPRAS Open Conference 2019

Date: 06.12.2019

Slides     Video


Description

В своем докладе Александр Попов даст краткий обзор техники фаззинга (fuzzing) и устройства фаззера syzkaller. Затем он поделится своим практическим опытом поиска уязвимостей в ядре Linux с помощью данного инструмента и расскажет о том, что препятствует эффективному фаззингу.


Между двух огней: уроки участия в Kernel Self Protection Project

Conference: Linux Piter 2018

Date: 03.11.2018

Slides     Video


Description

Безопасность - непростая тема для сообщества разработчиков ядра Linux. Внедрение новых средств безопасности в ванильное ядро обычно вызывает горячие дискуссии в списках рассылки и даже социальных сетях. Разработчики из Grsecurity/PaX, Kernel Self Protection Project (KSPP), мэйнтейнеры ядра и Линус Торвальдс - все имеют различные мнения.

Александр Попов вышел на это "поле боя" весной 2017 года и с тех пор участвует в Kernel Self Protection Project. Этот путь оказался намного сложнее, чем он ожидал. В своем докладе Александр поделится уроками разработки средств безопасности в сообществе ядра Linux.


Between the Millstones: Lessons of Self-Funded Participation in Kernel Self Protection Project

Conference: Open Source Summit Europe 2018

Date: 22.10.2018

Slides

Description

Security is not an easy topic for the Linux kernel community. Upstreaming security features usually provokes hot discussions in the Linux Kernel Mailing List and in social networks. Grsecurity/PaX, Kernel Self Protection Project (KSPP), kernel maintainers and Linus all have different opinions.

Alexander Popov entered this battlefield in spring 2017 and started his self-funded participation in KSPP. This way turned out to be much more complicated than he had predicted. In this talk Alexander will share his experience and lessons learnt during mainlining Linux kernel security features.


STACKLEAK: A Long Way to the Linux Kernel Mainline

Conference: Linux Security Summit North America 2018

Date: 27.08.2018

Slides     Video


Description

STACKLEAK is a Linux kernel security feature initially created by Grsecurity/PaX developers. In May of 2017 Alexander Popov took on the task of introducing STACKLEAK into the Linux kernel mainline. The way to the mainline turned out to be long and complicated.


How STACKLEAK improves Linux kernel security

Conference: Linux Piter 2017

Date: 04.11.2017

Slides     Video


Description

STACKLEAK is a Linux kernel security feature initially created by Grsecurity/PaX developers. Alexander Popov took on the task of introducing STACKLEAK into the Linux kernel mainline. In this talk Alexander describes the inner workings of this security feature and why the vanilla kernel needs it. In fact, STACKLEAK mitigates several types of Linux kernel vulnerabilities due to:

  • reducing the information that can be revealed through kernel stack leak bugs;
  • blocking some uninitialized stack variable attacks;
  • introducing some runtime checks for kernel stack overflow detection.


Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit

Conference: Still Hacking Anyway (SHA2017)

Date: 07.08.2017

Slides     Video


Description

CVE-2017-2636 is a 7-year old race condition in the Linux kernel that was fixed by Alexander Popov in March, 2017. This vulnerability affected all major Linux distributions. It can be exploited to gain a local privilege escalation. In this presentation Alexander will describe the PoC exploit for CVE-2017-2636. He will explain the effective method of hitting the race condition and show the following exploitation techniques: turning double-free into use-after-free, heap spraying and stabilization, SMEP bypass.


KASan in Bare-Metal Hypervisor

Conference: LinuxCon Japan 2016

Date: 13.07.2016

Slides

Description

Kernel address sanitizer (KASan) is a dynamic memory error detector for finding out-of-bounds and use-after-free bugs in Linux kernel. It uses shadow memory to record whether each byte of memory is safe to access and uses compile-time instrumentation to check shadow memory on each memory access. In this presentation Alexander Popov will describe the successful experience of porting KASan to a bare-metal hypervisor: the main steps, pitfalls and the ways to make KASan checks much more strict and multi-purpose.


Использование KASan для автономного гипервизора

Conference: Positive Hack Days VI

Date: 17.05.2016

Slides    

Description

В настоящем докладе будет рассмотрен успешный опыт использования отладочного механизма KASan (Kernel address sanitizer) для автономного гипервизора. Докладчик расскажет, как удалось усилить KASan по сравнению с его реализацией в ядре Linux.