Reading Kernel Source Code - Analysis of an Exploit

Рет қаралды 123,917

Күн бұрын

Last video we looked at a kernel exploit against SerenityOS Kernel. This video we dig deep into the sources to find out why the vulnerability exists. After that we even attempt to find our own exploit.
Part 1 - The Kernel Exploit: • Kernel Root Exploit vi...
00:00 - Intro
00:27 - Part 1 - Linux vs. Serenity
01:17 - Finding ptrace() in Linux
01:31 - Finding ptrace() in Serenity
02:12 - Comparing Linux and Serenity ptrace() Code
04:07 - Architecture Specific Code in Linux
04:45 - Continue Comparing Linux vs. Serenity ptrace() Code
05:08 - Conclusion of Part 1
05:57 - Part 2 - hxp wisdom2 Exploit Analysis
06:44 - Reading ptrace() again
07:26 - Reading execve() code
08:46 - The Critical execve() code
09:30 - Do You Notice The Vulnerability?
10:17 - Race Condition Exploit Strategy
11:48 - Part 3 - Doing Own Research
13:15 - Doing an Experiment
15:44 - Kernel Changes for Experiment
16:00 - Failed Experiment
16:26 - Asking Andreas Kling About Scheduler Code
17:45 - Conclusion - Read More Code
18:38 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Instagram: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow

Пікірлер: 169

@_DeProgrammer 3 жыл бұрын

Much respect to Andreas Kling. We take these projects for granted sometimes. We should give these guys the credit and respect they deserve. They don't ask for one cent. Wishing him happiness and wealth!

@Dr.Underscore 3 жыл бұрын

11:05 This is not true! That Vector type is from the AK namespace (with the namespace omitted due to frequency of use) -- it is NOT a standard vector, nor an implementation of it. Although you're probably still right about the linear complexity, just wanted to clear that up. -Also for fun points, the AK library stands for Andreas Kling :^)- I have lied, it stands for Agnostic Kit, not Andreas Kling.

@networkException 3 жыл бұрын

oooh I always wondered what AK meant, thank you for sharing

@erwinjitsu_3706 3 жыл бұрын

It means Автомат Калашникова or also known as Automat Kalašnikov or Automat Kalashnikov. You know, the cheap rifle.

@andresvieira7943 3 жыл бұрын

I might be wrong as I can't find the source, but I think that on one of the Car Talk videos someone asked about that. As a response I think Andreas stated that it was just a coincidence, but that the name AK comes from.. apple? (might be wrong, nokia?), being derived from Application Toolkit, just a container namespace for tools with a handy, compact name.

@aymensekhri 3 жыл бұрын

I was wondering about the meaning of AK since a long time lol

@kiro_f 3 жыл бұрын

I believed Andreas talked about how it referred to Agnostic Kit

@unsafecast3636 3 жыл бұрын

11:05 Actually, the Vector class used in SerenityOS is custom, especially in the kernel. You can't use the standard library in freestanding environments such as the kernel. But they are very similar, so you can definitely look up the std docs to learn something about it.

@Mankindux 2 жыл бұрын

searched this comment to say that.

@thewhitefalcon8539 Жыл бұрын

You can totally use it with some patches. C++ allows you to override global "operator new"

@gianni50725 Жыл бұрын

@@thewhitefalcon8539 you definitely can, but in the kernel it's not too useful. you want to have total knowledge of what allocates and in what circumstance beyond the info the standard provides besides, the most useful headers (e.g. atomic) have freestanding implementations (or they're supposed to... it's a bit of a pain to set up still.)

@thewhitefalcon8539 Жыл бұрын

@@gianni50725 Actually you do not need the kernel to have full knowledge of everything. It's useful in mature kernels to have that kind of introspection ability (see what is using up your memory) but it's not required for a toy or prototype

@krumpy8259 3 жыл бұрын

I just loved this video for several reasons namely: 1. You showed exactly how to search for details for the problem in question. 2. You showed how to ignore the steps not relevant for the problem and what to care about 3. You showed how to get around technical details and getting an experiment done without being too technical about low level stuff and still getting a useful outcome. I'd love to see more videos like that, because they are well structured and give a nice learning path.

@Paginski 3 жыл бұрын

Serenity is such an interesting project

@naturallyinterested7569 3 жыл бұрын

Wow, I actually didn't know that $ was a legal character in c++ identifiers.

@OmarChida 3 жыл бұрын

Same here!

@overlisted 3 жыл бұрын

in js too

@RedStone576 3 жыл бұрын

Damn

@PhoenixClank 3 жыл бұрын

@@overlisted That much is obvious, since jQuery defines a function called $

@OMGclueless 3 жыл бұрын

Technically $ is not a legal character in C++ identifiers according to the standard. But it allows for implementation-defined identifier characters, and MSVC and GCC both allow $, so there you go.

@spicybaguette7706 3 жыл бұрын

Fun fact: Linux also started as a "toy project"

@Extys 3 жыл бұрын

"Nothing serious" - Linus, 1991

@xmine64 3 жыл бұрын

Linux doesn't worth more but people are taking it serious. Just take a look at a real Unix/real OS.

@defofoff987 2 жыл бұрын

@@xmine64 What about 90% of the public cloud workload that is being run by Linux?

@kumarisuman4565 2 жыл бұрын

@@xmine64 Seems you live in a fourth world!

@andreicapi3535 2 жыл бұрын

@@kumarisuman4565 😂

@GBlunted 3 жыл бұрын

The way you edit your videos is fuckin dope! Feels like it makes the such heavy technical topics you go after so watchable and almost fun to [try and] follow along with!👌

@rawbytes7356 3 жыл бұрын

Thank you for constantly providing such high quality educational videos. Thanks a lot

@devnull7970 3 жыл бұрын

Your exploit explanations are amazing! I hope u don't mind a bit of unsolicited advice, but I personally find browsing the source code documentation generated by ctags inline when ur already using vscode is much more preferable than having to google things or look at the header file.

@henke37 3 жыл бұрын

My first thought was to use an excessive number of threads to introduce a larger timing window. My second thought was to start new threads in the middle of the old threads being destroyed.

@aayub 3 жыл бұрын

Very informative channel... Highly unrated... Keep up the good work...

@rujotheone 3 жыл бұрын

Now that you explain it this bug is very cool. I should look at race conditions more.

@iyxan2340 3 жыл бұрын

Very great explanation!

@SuryaTejaKarra 3 жыл бұрын

Great content as always 😍

@mccoysebrell630 3 жыл бұрын

Excellent points being raised

@mccoysebrell630 3 жыл бұрын

Especially the extra underscore

@solcloud Жыл бұрын

Thank you for this video!

@lambdaboy-29 3 жыл бұрын

Man your intro is just nostalgic 😍

@mushenji 3 жыл бұрын

This is extremely awesome

@santhoshvr 3 жыл бұрын

Worth video 🔥🔥 Keep rock bro..

@zanidd 3 жыл бұрын

Do TempleOS next 😂

@treyquattro 3 жыл бұрын

did you get all my error messages?

@zanidd 3 жыл бұрын

@@treyquattro no only this one

@dannwe123 3 жыл бұрын

He will not be able to find a bug, keep in mind it was created using divine intellect.

@w3w3w3 3 жыл бұрын

Great video. My fav channel :)

@tomydurazno6243 2 жыл бұрын

This is great content!

@Zedoy 3 жыл бұрын

Wow the hax program makes an ad appear you are a cool hacker :D

@diegodejesus9668 3 жыл бұрын

Is it convenient to practice buffer overflow or string formatting, even when these types of exploits are no longer so common (because systems are more protected)? What kinds of things should you investigate to find vulnerabilities in more current systems?

@AkashSingh-uk5ub 3 жыл бұрын

I wish,i had him as teacher,during my bachelors.

@priyanshugupta3207 3 жыл бұрын

Well, Having him on KZfaq is best for u and everyone, Right?? :)

@AkashSingh-uk5ub 3 жыл бұрын

@@priyanshugupta3207 Absolutely,why should only i have all the fun 😀

@Asdayasman 3 жыл бұрын

What’s with your use of commas dude?

@AkashSingh-uk5ub 3 жыл бұрын

@@Asdayasman uhhm ummh uhhhm ...

@tacokoneko 3 жыл бұрын

i paid for university for 4 years and got 95 credits and failed, waste of money. videos like this for free are a much better deal

@tonicuenca4043 3 жыл бұрын

Amazing! Thank you

@n0trusts3c 3 жыл бұрын

Thanks! V3ry interesting topic

@CodingWorm 3 жыл бұрын

He's back.

@OthmanAlikhan 3 жыл бұрын

Thanks for the video =)

@dislikebutton9925 3 жыл бұрын

True man, Serenity is great, we have a lot of space to implement basic stuff in Serenity OS

@sembutininverse 3 жыл бұрын

thank you 🙏🏻🙏🏻🙏🏻

@epicujjwal 3 жыл бұрын

serenity is cool af

@DerThomyLP 3 жыл бұрын

After completing the Operating System Course at my Univiersity I wish i knew about serenity OS earlier. As we also had to implement features like exec in a C++ Kernel following the POSIX standard, this would have been much more usefull than trying to understand the Linux implementation. Still thank you for this awsome video! :)

@seraphina985 2 жыл бұрын

There I was speculating about all of those unveil calls and from the generation of a long list of conspicuously irrelevant data I figured that must be a roundabout way of implementing a delay loop without the ability to inject code where you need it. While unconventional to build a large data structure just to serve as an iteration counter it still gets the job done when the input data to the loop is the only access you have to the desired delay injection point. After all it is an effective way of implementing the basic form of any delay loop which is simply for largeSet; do burnCyclesToWasteTime; done how that set is generated or the opcodes used to burn CPU cycles as a crude inefficient timer are arbitrary implementation details the result is the same.

@eternaldoorman5228 3 жыл бұрын

Looking forward to a video "Linux vs Mental Health" 😀

@PhatPazzo 3 жыл бұрын

If the scheduler could run on multiple cores, there could still be a race condition by running yields, if the check in the scheduler could run before the action of the scheduler. Try slowing down the scheduler too, and make sure the VM has at least two physical cores.

@Grub4K 3 жыл бұрын

Just as a thought experiment, cant you also increase the time it takes to reach the euid set by slowing down kill_threads_except_self by spawning many Threads beforehand?

@JannisAdmek 3 жыл бұрын

you are incredible :)

@binaryagenda 3 жыл бұрын

A different way to exploit kill_threads_except_self and make the execution take longer (so that the ptrace poke from another process has time to work), might be to create a large number of threads with resources in those threads which this kill_threads_* code needs to clean up. Maybe an alternative to using unveil.

@Keldor314 3 жыл бұрын

I was looking at that too. Also, what happens if some of those threads have things like open file handles? Bad things can happen if the rug is pulled at certain critical points, so presumably the OS would have safeguards to prevent this. Though I expect these would be resolved in the set_thread() call, which is too early to take advantage of.

@luckyverri3374 3 жыл бұрын

gREAT JOB.

@julianelischer6961 2 жыл бұрын

When I wrote the threading code for FreeBSD I put changes in both exec and fork to make sure that other threads did not proceed in the child or new process. It's pretty obvious if you think about it that only the running thread should continue.. Other threads will just "vanish"

@cyber1377 3 жыл бұрын

Thanks

@NetworkITguy 3 жыл бұрын

That's why I say learn Minix, it's so small and easy to understand. If you learn Minix you will essentially learn SerenityOS

@tacokoneko 3 жыл бұрын

i think i understand now, by the time you understand linux perfectly enough to be a linux kernel developer, you have already had to learn every other unix like os that exists, like stepping stones

@NetworkITguy 3 жыл бұрын

@@tacokoneko More or less, this video showed you kind of just need to learn three'ish OSs. Which OSs you learn from dictate how much time you'll spend, minix versus SerenityOS versus full on Linux (like slackware). Then wherever you start you can move to ReactOS to start understanding Windows. By the way being a kernel developer is a totally different concept then just trying to understand operating system theory and practice.

@tacokoneko 3 жыл бұрын

@@NetworkITguy yes as he has said, to be a kernel developer you have to read and understand a kernel source code and then change it it be better. i dont want to understand windows i only like GNU/Linux and other unix like operating systems

@totemkid7976 3 жыл бұрын

As always great video :)

@mundusesttuum2536 2 жыл бұрын

Hi... I know this is old post but I want to comment something... What happens if you filter all inputs? Like by integers or chars only and sanitize all before...? It's more hard to found vulns?😁

@think-IT42 3 жыл бұрын

Cool Beard :)

@Jay-je8tu 3 жыл бұрын

I'm looking for the theme that the SerenityOS Dev uses. Looks really easy on eyes

@Anonymouspock 3 жыл бұрын

It's interesting that this bug proposed can't happen because of lack of SMP support: there's nothing to stop the other threads there, and it relies on being in kernel implying nothing else is running

@BlackHermit 3 жыл бұрын

Much respect to Andreas Kling.

@FatalRescue 3 жыл бұрын

Talk about the massive solar winds hack please!

@andybryanboutchouangsimbaf8395 3 жыл бұрын

Lmao the “Linux vs Serenity” got to me 😭

@tg7943 3 жыл бұрын

Push!

@williamobando4159 3 жыл бұрын

Lol interesting?? Super interesting !!

@julianelischer6961 2 жыл бұрын

have you compared it with FreeBSD as well?

@Dominik-K 21 күн бұрын

Love serenity

@chyza2012 3 жыл бұрын

11:05, Serenity Vector is not std::vector, serenity doesn't use std:: at all

@OmarChida 3 жыл бұрын

I was surprised and skeptical in the same time

@tacokoneko 3 жыл бұрын

if, as he's been saying, the _implementation_ is _very similar_ though, does that matter? if number of instruction cycles increases by the same factors, his point is the same

@chyza2012 3 жыл бұрын

@@tacokoneko If he knew it wasn't std::vector he wouldn't've gone to the documentation for std::vector, because its completely unrelated, you might as well be reading java documentation. Its clearly as mistake. He was correct about the time complexity by chance but that doesn't really change anything.

@KitsuneAlex Жыл бұрын

You making Andreas heart bleed saying his baby is unusable xDDD

@Benjji 3 жыл бұрын

this type of stuff interests me but i have ZERO clue what is actually going on hahaha

@AK.Adventures 3 жыл бұрын

I am not getting most of the thing right now, will come back after primer

@SSS-sz8mg 3 жыл бұрын

Yes, This means Linux is much sophisticated and harder to break or not ?

@Simon-xi8tb 3 жыл бұрын

Redox OS next!

@benricok 3 жыл бұрын

@LiveOverflow Any plans to start posting your content on LBRY/Odysee?

@sefzxm6486 3 жыл бұрын

saying "nello" in thirtynine languages.. spelt different, completely different, sometimes sound similar or even nowhere close. but exactly the same thing. ish.... i am probably wrong with my analogy.

@hk5716 3 жыл бұрын

the beard is very scary

@Sqwan2 3 жыл бұрын

You could also read a good book. But why would that be fun :D

@supernov4678 3 жыл бұрын

Kernelman has been destroyed by LiveOverflow

@kuldeepsingh2983 3 жыл бұрын

5 min into the video and i am already lost.

@maratmkhitaryan9723 3 жыл бұрын

1:07 they are very useful for aimbots and other cheats yeah?

@miklov 3 жыл бұрын

Wow, didn't know C++11 had anonymous functions, I had to try =D

@Cons-Cat 2 жыл бұрын

They got better in every update since then, and there's an accepted proposal in C++23 to continue improving them for the next update.

@yari_dawg 3 жыл бұрын

42nd view i am therefore life

@tactileslut 3 жыл бұрын

, the universe and Everything.

@jordanoconnell48 3 жыл бұрын

You look like the guy out superbad lol

@jonshouse1 3 жыл бұрын

As someone who only writes C I find it simpler to read the Linux source. The idea that C++ is "better" or "simpler" only exists in the generation that learnt object oriented programming. When I learnt to code (self taught mostly) we had assembler, C, Fortran or Pascal... that was pretty much it.

@quentinquadrat9389 3 жыл бұрын

Probably people will yield at me but on both sides, code source could have more comments :-/ This is what I hate from programmers (and I am one): no comments, no PDF explaining algorithm/main purpose of the file, no examples, why calling functions in this particular order. I just get a laugh when hearing "and that sounds like one of the important functions"

@davidfrischknecht8261 3 жыл бұрын

I prefer writing self-documenting code. If your identifiers have decent names, you shouldn't need a whole lot of comments.

@quentinquadrat9389 3 жыл бұрын

@@davidfrischknecht8261 Half troll: I hope this does not mean to type 100+ char for each variable or function :/

@moczikgabor 3 жыл бұрын

Maybe I am wrong, but the code should be just as much commented as necessary for a competent programmer to understand the details, not more. The codes shown in the video is well readable in my opinion, and understandable if you dive deep enough into them. I think, teaching how a paricular system or subsystem works (in general, to a "stranger" who not familiar with the topic) is out of scope of the comments. Books or application notes or similar could be written separately, but it should not be in the comments. On a side note, programmers hate to write documents, which is understandable, especially for community-driven projects, as writing documentation terribly lowers the efficiency of programming. Which only lowers the accomplished tasks in a given time frame at best, but might lead to losing motivation at worst. Not everyone is a good teacher, one could possibly write excellent code, but have difficulty explaining it to non-competent people, thus it won't find it interesting.

@samin5900 3 жыл бұрын

@shallwebeginvg5750 3 жыл бұрын

Brother, I recommend eating potatoes and pork fat ( сало), I suspect you will be feeling much better after you try it, seriously. As for the video, like always, I understand only the basic concepts - but a very interesting video indeed. Thank you!

@flflflflflfl 3 жыл бұрын

lol

@ThebigFlanc 3 жыл бұрын

Tf why

@proloycodes 2 жыл бұрын

wtf are you on?

@Indic4Zone 3 жыл бұрын

sixth comment!

@hey9433 3 жыл бұрын

1st

@mayaliii 3 жыл бұрын

Oooooo

@TheeMelloMan 2 жыл бұрын

what ??

@lior_haddad 3 жыл бұрын

@juuamjskn2420 3 жыл бұрын

first comment

@bocah_ingusan5285 3 жыл бұрын

Aku enggak paham bang artinya😭

@chigozie123 3 жыл бұрын

SerenityOs kinda reminds me of TempleOs; both in naming and implementation

@Cons-Cat 2 жыл бұрын

How are their implementations similar? To me they seem night and day. TempleOS is 64 bit, Serenity is 32 bit. TempleOS was written in asm and jit-compiled HolyC, SerenityOS was written in asm and aot-compiled C++20. TempleOS was antithetical to POSIX / Unix, SerenityOS is extremely Unix-like. TempleOS deliberately has no internet capabilities or advanced graphics, Serenity is working towards having a Javascript and CSS compliant custom web browser and OpenGL conformant graphics implementation.