From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com MIME-Version: 1.0 In-Reply-To: References: <1476016472.2329.38.camel@cvidal.org> <1476040182.2329.72.camel@cvidal.org> <20161009193731.GD14666@pc.thejh.net> <2236FBA76BA1254E88B949DDB74E612B41BDCAF6@IRSMSX102.ger.corp.intel.com> <1476115319.2329.108.camel@cvidal.org> From: Gengjia Chen Date: Thu, 13 Oct 2016 19:14:55 +0800 Message-ID: Content-Type: multipart/alternative; boundary=001a113fa8483499f4053ebd38e2 Subject: Re: [kernel-hardening] self introduction To: keescook@chromium.org Cc: kernel-hardening@lists.openwall.com List-ID: --001a113fa8483499f4053ebd38e2 Content-Type: text/plain; charset=UTF-8 > In your research have you seen a common kind of bug that results in > the vulnerabilities you find? No, Most of those issues are caused by the lack of checking of user input length in copy_xx_user functions or afterwards in memcpy functions, however, looking into the details, they vary among different functions in different files. > Is there anything that would have > significantly made exploitation more difficult in the things you > worked on? Yes! I mostly exploit buffer overflow vulns by overwrite function pointers (such as pointers in file_operations) of a global object or a heap object to redirect execution (and if PXN is enable, we simply use rop gadgets). Therefore mitigation solutions of Function_pointer_overwrite would make such kind of exploitation much more diffcult. But I don't know if you have let all the pointers "const". Becsides, ret2dir is a common way to exploit UAF vulns so I think solutions like XPFO is a way to make those kind of exploitation more diffcult. Right now KALSR is still disable in most android devices, so it is easy to get kernel symbol address, however if KALSR is enable, it may make exploitation more diffcult. > Are you interested mostly in ARM-specific things? I am famillar with ARM-specific things mostly, but I can also accept x86/x64 tasks. > Are you interested in kernel-assisted userspace defenses too? What dose that mean ? something like seccomp ? 2016-10-13 6:31 GMT+08:00 Kees Cook : > On Tue, Oct 11, 2016 at 8:19 PM, Gengjia Chen > wrote: > > Hi all, > > Hi, welcome! > > > My name is Jiayy (@chengjia4574). I am currently a security researcher in > > android and linux kernel. My researches consist on hunting > vulnerabilities > > in kernel code (most of them within drivers) and doing exploits using > those > > vulns. > > I had found more than 40 vulnerabilities which were confirmed by Android > > Security Team > > in the past year. I also figured out some way to attack mitigation > solutions > > of kernel > > (such as Bypass PXN). > > In your research have you seen a common kind of bug that results in > the vulnerabilities you find? Is there anything that would have > significantly made exploitation more difficult in the things you > worked on? > > > Those works help me get familiar with the kernel(device tree, memory > > management, > > network , some features especially those associated with security such as > > pxn, selinux, seccomp) and ARM instruction. However, it is not enough to > get > > involved in real security development in kernel. Therefore, I am looking > for > > task > > I can accomplish to be involved into real kernel development! Recently I > > found > > this project (kernel self protection) and I thought it is so interesting. > > > > I don't know whether I can involve and where I can begin, I am looking > > forward to > > your response. > > Are you interested mostly in ARM-specific things? Are you interested > in kernel-assisted userspace defenses too? > > -Kees > > -- > Kees Cook > Nexus Security > --001a113fa8483499f4053ebd38e2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
> In your research have you seen a common kind of bug that results= in
= > the vulnerabilities you find?=C2=A0

No,
Most of those issues are caused b= y the lack of checking of=C2=A0 user input length
in copy_xx_user function= s or=C2=A0afterwards in memcpy = functions,=C2=A0
however, looking into the details,=C2=A0
the= y vary among different function= s in different files.

> Is there anything that wo= uld have
> significantly made exploitation more difficult in the things= you
> worked on?

Yes!=C2=A0=C2=A0
<= div id=3D"gmail-magicdomid1896" class=3D"gmail-ace-line" style=3D"margin:0p= x;padding:0px 100px;border-left-width:3px;border-left-style:solid;border-le= ft-color:transparent;word-wrap:break-word;outline:none;color:rgb(51,51,51);= font-family:-apple-system,blinkmacsystemfont,'pingfang sc',helvetic= a,tahoma,arial,'hiragino sans gb','microsoft yahei',=E5=BE= =AE=E8=BD=AF=E9=9B=85=E9=BB=91,simsun,=E5=AE=8B=E4=BD=93,heiti,=E9=BB=91=E4= =BD=93,sans-serif;font-size:14.6667px;line-height:24.9333px">
= I mostly exploit buffer overflow vulns by overwrite function pointers (such= as=C2=A0=C2=A0
pointers in file_operations) of a global object or a he= ap object=C2=A0
to redirect execution (and if PXN is enable, we simply = use rop gadgets).=C2=A0
Therefore mitigation solutions of=C2=A0<= span class=3D"gmail-author-1155855 gmail-font-color-13 gmail-font-size-2 gm= ail-link-block gmail-url-K8zplcF4gUcsRpqI gmail-url" style=3D"color:rgb(255= ,255,255);font-size:10pt">Function_pointer_overwrite= =C2=A0 would=C2=A0
make such kind of exploitat= ion much more diffcult.=C2=A0=C2=A0
But I don't know if you have let= all the pointers "const".

Becsides, re= t2dir is a common way to exploit=C2=A0 UAF vulns=C2=A0
so=C2=A0 I think s= olutions like XPFO is a way=C2=A0 to make=C2=A0
those kind of exploitati= on more diffcult.

Right now KALSR is still disable = in most android devices,=C2=A0
so it is easy to get kernel symbol address,=
however if KALSR is enable, it may make exploitation more diffcult.=C2= =A0
<= br style=3D"margin-top:0px">
> Are you interested mostly in ARM-specifi= c things?=C2=A0

I am= famillar with ARM-specific things mostly, but I can also accept x86/x64 ta= sks.=C2=A0

> A= re you interested in kernel-assisted userspace defenses too?

What dose that mean ?=C2=A0 somet= hing like seccomp ?

2016-10-13 6:31 GMT+08:00 Kees Cook = <keescook@chr= omium.org>:
On Tue, Oct 11,= 2016 at 8:19 PM, Gengjia Chen <chengjia4574@gmail.com> wrote:
> Hi all,

Hi, welcome!

> My name is Jiayy (@chengjia4574). I am currently a security researcher= in
> android and linux kernel. My researches=C2=A0 consist on hunting vulne= rabilities
> in kernel code (most of them within drivers) and doing exploits using = those
> vulns.
> I had found more than 40 vulnerabilities which were confirmed by Andro= id
> Security Team
> in the past year. I also figured out some way to attack mitigation sol= utions
> of kernel
> (such as Bypass PXN).

In your research have you seen a common kind of bug that results in<= br> the vulnerabilities you find? Is there anything that would have
significantly made exploitation more difficult in the things you
worked on?

> Those works help me get familiar with the kernel(device tree, memory > management,
> network , some features especially those associated with security such= as
> pxn, selinux, seccomp) and ARM instruction. However, it is not enough = to get
> involved in real security development in kernel. Therefore, I am looki= ng for
> task
> I can accomplish to be involved into real kernel development!=C2=A0 Re= cently I
> found
> this project (kernel self protection) and I thought it is so interesti= ng.
>
> I don't know whether I can involve and=C2=A0 where I can begin, I = am looking
> forward to
> your response.

Are you interested mostly in ARM-specific things? Are you interested=
in kernel-assisted userspace defenses too?

-Kees

--
Kees Cook
Nexus Security

--001a113fa8483499f4053ebd38e2--