https://pwnn.me/tags/kernel/Recent content in Kernel on wh0isthatguyHugo -- gohugo.ioenryan@pwnn.me (wh0isthatguy)ryan@pwnn.me (wh0isthatguy)flag{my_c0pyr1ght}Mon, 29 Jan 2024 00:00:00 +0000https://pwnn.me/blog/linuxkernelstack/Mon, 29 Jan 2024 00:00:00 +0000ryan@pwnn.me (wh0isthatguy)https://pwnn.me/blog/linuxkernelstack/<div class="flex px-4 py-3 rounded-md shadow bg-primary-100 dark:bg-primary-900" > <span class="text-primary-400 pe-3 flex items-center" > <span class="relative block icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M506.3 417l-213.3-364c-16.33-28-57.54-28-73.98 0l-213.2 364C-10.59 444.9 9.849 480 42.74 480h426.6C502.1 480 522.6 445 506.3 417zM232 168c0-13.25 10.75-24 24-24S280 154.8 280 168v128c0 13.25-10.75 24-23.1 24S232 309.3 232 296V168zM256 416c-17.36 0-31.44-14.08-31.44-31.44c0-17.36 14.07-31.44 31.44-31.44s31.44 14.08 31.44 31.44C287.4 401.9 273.4 416 256 416z"/></svg> </span> </span> <span class="dark:text-neutral-300" ><strong>Images not loading?</strong> Try accessing this site using a VPN.</span> </div> <h2 class="relative group">Mitigations <div id="mitigations" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#mitigations" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">1. SMEP <div id="1-smep" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#1-smep" aria-label="Anchor">#</a> </span> </h3> <ul> <li>dont allow to execute user space code</li> <li>in qemu, to enable SMEP we use <code>-cpu+smep</code> to disasble it use <code>-append nosmep</code></li> <li>SMEP is a hardware security mechanism. Setting the 21st bit of the CR4 register enables SMEP.</li> </ul> <h3 class="relative group">2. SMAP <div id="2-smap" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#2-smap" aria-label="Anchor">#</a> </span> </h3> <ul> <li>kernel space cannot read or write userspace memory</li> <li>to do that we need to use copy_from_user / copy_to_user</li> </ul> <h3 class="relative group">3. Kernel Canary <div id="3-kernel-canary" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#3-kernel-canary" aria-label="Anchor">#</a> </span> </h3> <ul> <li>the same as stack canary on user land</li> <li>enabled in the kernel at compile time and cannot be disabled.</li> </ul> <h3 class="relative group">4. KASLR <div id="4-kaslr" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#4-kaslr" aria-label="Anchor">#</a> </span> </h3> <ul> <li>randomizes the base address where the kernel is loaded each time the system is booted</li> <li>It can be enabled/disabled by adding <code>kaslr</code> or <code>nokaslr</code> under <code>-append</code> option.</li> </ul> <h3 class="relative group">5. KPTI (Kernel Page-Table Isolation) <div id="5-kpti-kernel-page-table-isolation" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#5-kpti-kernel-page-table-isolation" aria-label="Anchor">#</a> </span> </h3> <ul> <li>prevent Meltdown (side-channel attack)</li> </ul> <h3 class="relative group">6. KADR (Kernel Address Display Restriction) <div id="6-kadr-kernel-address-display-restriction" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#6-kadr-kernel-address-display-restriction" aria-label="Anchor">#</a> </span> </h3> <ul> <li>hide kernel address /proc/kallsyms</li> <li><code>/proc/sys/kernel/kptr_restrict</code> : 0 to disable it</li> </ul> <p>Kernel have sus function : <code>run_cmd(char * cmd)</code> : run cmd in userspace as root.</p>