Reading Kernel Source Code - Analysis of an Exploit
Вставка
- Опубліковано 29 чер 2024
- Last video we looked at a kernel exploit against SerenityOS Kernel. This video we dig deep into the sources to find out why the vulnerability exists. After that we even attempt to find our own exploit.
Part 1 - The Kernel Exploit: • Kernel Root Exploit vi...
00:00 - Intro
00:27 - Part 1 - Linux vs. Serenity
01:17 - Finding ptrace() in Linux
01:31 - Finding ptrace() in Serenity
02:12 - Comparing Linux and Serenity ptrace() Code
04:07 - Architecture Specific Code in Linux
04:45 - Continue Comparing Linux vs. Serenity ptrace() Code
05:08 - Conclusion of Part 1
05:57 - Part 2 - hxp wisdom2 Exploit Analysis
06:44 - Reading ptrace() again
07:26 - Reading execve() code
08:46 - The Critical execve() code
09:30 - Do You Notice The Vulnerability?
10:17 - Race Condition Exploit Strategy
11:48 - Part 3 - Doing Own Research
13:15 - Doing an Experiment
15:44 - Kernel Changes for Experiment
16:00 - Failed Experiment
16:26 - Asking Andreas Kling About Scheduler Code
17:45 - Conclusion - Read More Code
18:38 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Instagram: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Much respect to Andreas Kling. We take these projects for granted sometimes. We should give these guys the credit and respect they deserve. They don't ask for one cent. Wishing him happiness and wealth!
11:05 This is not true! That Vector type is from the AK namespace (with the namespace omitted due to frequency of use) -- it is NOT a standard vector, nor an implementation of it. Although you're probably still right about the linear complexity, just wanted to clear that up.
-Also for fun points, the AK library stands for Andreas Kling :^)-
I have lied, it stands for Agnostic Kit, not Andreas Kling.
oooh I always wondered what AK meant, thank you for sharing
It means Автомат Калашникова or also known as Automat Kalašnikov or Automat Kalashnikov.
You know, the cheap rifle.
I might be wrong as I can't find the source, but I think that on one of the Car Talk videos someone asked about that. As a response I think Andreas stated that it was just a coincidence, but that the name AK comes from.. apple? (might be wrong, nokia?), being derived from Application Toolkit, just a container namespace for tools with a handy, compact name.
I was wondering about the meaning of AK since a long time lol
I believed Andreas talked about how it referred to Agnostic Kit
I just loved this video for several reasons namely:
1. You showed exactly how to search for details for the problem in question.
2. You showed how to ignore the steps not relevant for the problem and what to care about
3. You showed how to get around technical details and getting an experiment done without being too technical about low level stuff and still getting a useful outcome.
I'd love to see more videos like that, because they are well structured and give a nice learning path.
11:05 Actually, the Vector class used in SerenityOS is custom, especially in the kernel. You can't use the standard library in freestanding environments such as the kernel. But they are very similar, so you can definitely look up the std docs to learn something about it.
searched this comment to say that.
You can totally use it with some patches. C++ allows you to override global "operator new"
@@thewhitefalcon8539 you definitely can, but in the kernel it's not too useful. you want to have total knowledge of what allocates and in what circumstance beyond the info the standard provides
besides, the most useful headers (e.g. atomic) have freestanding implementations (or they're supposed to... it's a bit of a pain to set up still.)
@@gianni50725 Actually you do not need the kernel to have full knowledge of everything. It's useful in mature kernels to have that kind of introspection ability (see what is using up your memory) but it's not required for a toy or prototype
The way you edit your videos is fuckin dope! Feels like it makes the such heavy technical topics you go after so watchable and almost fun to [try and] follow along with!👌
Serenity is such an interesting project
Thank you for constantly providing such high quality educational videos. Thanks a lot
Wow, I actually didn't know that $ was a legal character in c++ identifiers.
Same here!
in js too
Damn
@@overlisted That much is obvious, since jQuery defines a function called $
Technically $ is not a legal character in C++ identifiers according to the standard. But it allows for implementation-defined identifier characters, and MSVC and GCC both allow $, so there you go.
Fun fact: Linux also started as a "toy project"
"Nothing serious" - Linus, 1991
Linux doesn't worth more but people are taking it serious. Just take a look at a real Unix/real OS.
@@xmine64 What about 90% of the public cloud workload that is being run by Linux?
@@xmine64 Seems you live in a fourth world!
@@kumarisuman4565 😂
Very informative channel... Highly unrated... Keep up the good work...
Great content as always 😍
Man your intro is just nostalgic 😍
Worth video 🔥🔥 Keep rock bro..
Very great explanation!
Do TempleOS next 😂
did you get all my error messages?
@@treyquattro no only this one
He will not be able to find a bug, keep in mind it was created using divine intellect.
Great video. My fav channel :)
My first thought was to use an excessive number of threads to introduce a larger timing window. My second thought was to start new threads in the middle of the old threads being destroyed.
This is extremely awesome
Excellent points being raised
Especially the extra underscore
He's back.
This is great content!
Now that you explain it this bug is very cool. I should look at race conditions more.
Thank you for this video!
Wow the hax program makes an ad appear you are a cool hacker :D
I wish,i had him as teacher,during my bachelors.
Well, Having him on UA-cam is best for u and everyone, Right?? :)
@@priyanshugupta3207 Absolutely,why should only i have all the fun 😀
What’s with your use of commas dude?
@@Asdayasman uhhm ummh uhhhm ...
i paid for university for 4 years and got 95 credits and failed, waste of money. videos like this for free are a much better deal
Your exploit explanations are amazing! I hope u don't mind a bit of unsolicited advice, but I personally find browsing the source code documentation generated by ctags inline when ur already using vscode is much more preferable than having to google things or look at the header file.
serenity is cool af
Amazing! Thank you
Thanks! V3ry interesting topic
Thanks for the video =)
thank you 🙏🏻🙏🏻🙏🏻
True man, Serenity is great, we have a lot of space to implement basic stuff in Serenity OS
you are incredible :)
As always great video :)
Looking forward to a video "Linux vs Mental Health" 😀
gREAT JOB.
After completing the Operating System Course at my Univiersity I wish i knew about serenity OS earlier. As we also had to implement features like exec in a C++ Kernel following the POSIX standard, this would have been much more usefull than trying to understand the Linux implementation. Still thank you for this awsome video! :)
That's why I say learn Minix, it's so small and easy to understand. If you learn Minix you will essentially learn SerenityOS
i think i understand now, by the time you understand linux perfectly enough to be a linux kernel developer, you have already had to learn every other unix like os that exists, like stepping stones
@@tacokoneko More or less, this video showed you kind of just need to learn three'ish OSs. Which OSs you learn from dictate how much time you'll spend, minix versus SerenityOS versus full on Linux (like slackware). Then wherever you start you can move to ReactOS to start understanding Windows. By the way being a kernel developer is a totally different concept then just trying to understand operating system theory and practice.
@@NetworkITguy yes as he has said, to be a kernel developer you have to read and understand a kernel source code and then change it it be better. i dont want to understand windows i only like GNU/Linux and other unix like operating systems
A different way to exploit kill_threads_except_self and make the execution take longer (so that the ptrace poke from another process has time to work), might be to create a large number of threads with resources in those threads which this kill_threads_* code needs to clean up. Maybe an alternative to using unveil.
I was looking at that too. Also, what happens if some of those threads have things like open file handles? Bad things can happen if the rug is pulled at certain critical points, so presumably the OS would have safeguards to prevent this. Though I expect these would be resolved in the set_thread() call, which is too early to take advantage of.
Thanks
Is it convenient to practice buffer overflow or string formatting, even when these types of exploits are no longer so common (because systems are more protected)? What kinds of things should you investigate to find vulnerabilities in more current systems?
If the scheduler could run on multiple cores, there could still be a race condition by running yields, if the check in the scheduler could run before the action of the scheduler. Try slowing down the scheduler too, and make sure the VM has at least two physical cores.
Cool Beard :)
There I was speculating about all of those unveil calls and from the generation of a long list of conspicuously irrelevant data I figured that must be a roundabout way of implementing a delay loop without the ability to inject code where you need it. While unconventional to build a large data structure just to serve as an iteration counter it still gets the job done when the input data to the loop is the only access you have to the desired delay injection point. After all it is an effective way of implementing the basic form of any delay loop which is simply for largeSet; do burnCyclesToWasteTime; done how that set is generated or the opcodes used to burn CPU cycles as a crude inefficient timer are arbitrary implementation details the result is the same.
Much respect to Andreas Kling.
When I wrote the threading code for FreeBSD I put changes in both exec and fork to make sure that other threads did not proceed in the child or new process. It's pretty obvious if you think about it that only the running thread should continue.. Other threads will just "vanish"
I'm looking for the theme that the SerenityOS Dev uses. Looks really easy on eyes
Talk about the massive solar winds hack please!
Just as a thought experiment, cant you also increase the time it takes to reach the euid set by slowing down kill_threads_except_self by spawning many Threads beforehand?
Lmao the “Linux vs Serenity” got to me 😭
Push!
It's interesting that this bug proposed can't happen because of lack of SMP support: there's nothing to stop the other threads there, and it relies on being in kernel implying nothing else is running
this type of stuff interests me but i have ZERO clue what is actually going on hahaha
Lol interesting?? Super interesting !!
I am not getting most of the thing right now, will come back after primer
Hi... I know this is old post but I want to comment something... What happens if you filter all inputs? Like by integers or chars only and sanitize all before...? It's more hard to found vulns?😁
11:05, Serenity Vector is not std::vector, serenity doesn't use std:: at all
I was surprised and skeptical in the same time
if, as he's been saying, the _implementation_ is _very similar_ though, does that matter? if number of instruction cycles increases by the same factors, his point is the same
@@tacokoneko If he knew it wasn't std::vector he wouldn't've gone to the documentation for std::vector, because its completely unrelated, you might as well be reading java documentation.
Its clearly as mistake.
He was correct about the time complexity by chance but that doesn't really change anything.
Redox OS next!
Love serenity
You making Andreas heart bleed saying his baby is unusable xDDD
Yes, This means Linux is much sophisticated and harder to break or not ?
@LiveOverflow Any plans to start posting your content on LBRY/Odysee?
the beard is very scary
You could also read a good book. But why would that be fun :D
have you compared it with FreeBSD as well?
saying "nello" in thirtynine languages.. spelt different, completely different, sometimes sound similar or even nowhere close. but exactly the same thing. ish.... i am probably wrong with my analogy.
Kernelman has been destroyed by LiveOverflow
5 min into the video and i am already lost.
Wow, didn't know C++11 had anonymous functions, I had to try =D
They got better in every update since then, and there's an accepted proposal in C++23 to continue improving them for the next update.
1:07 they are very useful for aimbots and other cheats yeah?
42nd view i am therefore life
, the universe and Everything.
As someone who only writes C I find it simpler to read the Linux source. The idea that C++ is "better" or "simpler" only exists in the generation that learnt object oriented programming. When I learnt to code (self taught mostly) we had assembler, C, Fortran or Pascal... that was pretty much it.
You look like the guy out superbad lol
hi
Brother, I recommend eating potatoes and pork fat (
сало), I suspect you will be feeling much better after you try it, seriously.
As for the video, like always, I understand only the basic concepts - but a very interesting video indeed. Thank you!
lol
Tf why
wtf are you on?
Probably people will yield at me but on both sides, code source could have more comments :-/ This is what I hate from programmers (and I am one): no comments, no PDF explaining algorithm/main purpose of the file, no examples, why calling functions in this particular order. I just get a laugh when hearing "and that sounds like one of the important functions"
I prefer writing self-documenting code. If your identifiers have decent names, you shouldn't need a whole lot of comments.
@@davidfrischknecht8261 Half troll: I hope this does not mean to type 100+ char for each variable or function :/
Maybe I am wrong, but the code should be just as much commented as necessary for a competent programmer to understand the details, not more.
The codes shown in the video is well readable in my opinion, and understandable if you dive deep enough into them.
I think, teaching how a paricular system or subsystem works (in general, to a "stranger" who not familiar with the topic) is out of scope of the comments.
Books or application notes or similar could be written separately, but it should not be in the comments.
On a side note, programmers hate to write documents, which is understandable, especially for community-driven projects, as writing documentation terribly lowers the efficiency of programming. Which only lowers the accomplished tasks in a given time frame at best, but might lead to losing motivation at worst. Not everyone is a good teacher, one could possibly write excellent code, but have difficulty explaining it to non-competent people, thus it won't find it interesting.
what ??
1st
sixth comment!
Hi
first comment
Oooooo
Aku enggak paham bang artinya😭
Get fake
SerenityOs kinda reminds me of TempleOs; both in naming and implementation
How are their implementations similar? To me they seem night and day. TempleOS is 64 bit, Serenity is 32 bit. TempleOS was written in asm and jit-compiled HolyC, SerenityOS was written in asm and aot-compiled C++20. TempleOS was antithetical to POSIX / Unix, SerenityOS is extremely Unix-like. TempleOS deliberately has no internet capabilities or advanced graphics, Serenity is working towards having a Javascript and CSS compliant custom web browser and OpenGL conformant graphics implementation.
tell me what is your natural language? because all of your videos i thought your just an indian guy
He is german, his accent is strong but quite different from the Indian one
😂 indian wtf. He doesn't sound like it at all
Lmao are you the non-weeb version of me? Subbed to PoE stuff, chess stuff, and code stuff.
@@lummarh9385 maybe it's just me i watched many Indian tutorial vids lately
@@Asdayasman yes.. FINALLY!! YOU FOUND ME!!!!
Bsd like licenses suck
like a mutex lock