> In your research have you seen a common kind of bug that results in > the vulnerabilities you find? No, Most of those issues are caused by the lack of checking of user input length in copy_xx_user functions or afterwards in memcpy functions, however, looking into the details, they vary among different functions in different files. > Is there anything that would have > significantly made exploitation more difficult in the things you > worked on? Yes! I mostly exploit buffer overflow vulns by overwrite function pointers (such as pointers in file_operations) of a global object or a heap object to redirect execution (and if PXN is enable, we simply use rop gadgets). Therefore mitigation solutions of Function_pointer_overwrite would make such kind of exploitation much more diffcult. But I don't know if you have let all the pointers "const". Becsides, ret2dir is a common way to exploit UAF vulns so I think solutions like XPFO is a way to make those kind of exploitation more diffcult. Right now KALSR is still disable in most android devices, so it is easy to get kernel symbol address, however if KALSR is enable, it may make exploitation more diffcult. > Are you interested mostly in ARM-specific things? I am famillar with ARM-specific things mostly, but I can also accept x86/x64 tasks. > Are you interested in kernel-assisted userspace defenses too? What dose that mean ? something like seccomp ? 2016-10-13 6:31 GMT+08:00 Kees Cook : > On Tue, Oct 11, 2016 at 8:19 PM, Gengjia Chen > wrote: > > Hi all, > > Hi, welcome! > > > My name is Jiayy (@chengjia4574). I am currently a security researcher in > > android and linux kernel. My researches consist on hunting > vulnerabilities > > in kernel code (most of them within drivers) and doing exploits using > those > > vulns. > > I had found more than 40 vulnerabilities which were confirmed by Android > > Security Team > > in the past year. I also figured out some way to attack mitigation > solutions > > of kernel > > (such as Bypass PXN). > > In your research have you seen a common kind of bug that results in > the vulnerabilities you find? Is there anything that would have > significantly made exploitation more difficult in the things you > worked on? > > > Those works help me get familiar with the kernel(device tree, memory > > management, > > network , some features especially those associated with security such as > > pxn, selinux, seccomp) and ARM instruction. However, it is not enough to > get > > involved in real security development in kernel. Therefore, I am looking > for > > task > > I can accomplish to be involved into real kernel development! Recently I > > found > > this project (kernel self protection) and I thought it is so interesting. > > > > I don't know whether I can involve and where I can begin, I am looking > > forward to > > your response. > > Are you interested mostly in ARM-specific things? Are you interested > in kernel-assisted userspace defenses too? > > -Kees > > -- > Kees Cook > Nexus Security >