OS hacking: Unmapping kernel functions after initialization

preview_player
Показать описание

  1. Andreas Kling
  2. osdev
  3. serenityos
  4. c
  5. infosec
  6. security
Рекомендации по теме
OS hacking: Unmapping 0:50:28

OS hacking: Unmapping kernel functions after initialization

OS hacking: Making 0:34:23

OS hacking: Making some kernel memory read-only after booting finishes

new Linux feature 0:11:08

new Linux feature makes hacking IMPOSSIBLE

OS haxx0ring: Let's 0:32:16

OS haxx0ring: Let's exploit a kernel paging bug to get root!

OS hacking: Let's 1:13:19

OS hacking: Let's exploit ELF symbolication to read kernel memory!

pwn.college - Kernel 0:18:02

pwn.college - Kernel Security - Writing Kernel Shellcode

chill kernel hacking 2:07:43

chill kernel hacking for fun (week 40, multicore debug/fork syscall)

For The Win 0:45:39

For The Win The Art Of The Windows Kernel Fuzzing Guangming Liu

Kernel Root Exploit 0:15:23

Kernel Root Exploit via a ptrace() and execve() Race Condition

OS hacking: Let's 1:36:09

OS hacking: Let's profile program startup and make everything start faster!

OS hacking: Writable 0:51:18

OS hacking: Writable file mappings (MAP_SHARED+PROT_WRITE)

OS hacking: Hardening 0:30:02

OS hacking: Hardening ELF executables with RELRO

Windows Kernel Exploitation 0:09:57

Windows Kernel Exploitation

chill kernel hacking 2:08:46

chill kernel hacking for fun (week 44, user page fault + assembly)

chill kernel hacking 2:16:39

chill kernel hacking for fun (week 41, fork() syscall)

OS hacking: Let's 1:07:17

OS hacking: Let's make a simple breakout game in HackStudio!

OS hacking: Supporting 0:57:27

OS hacking: Supporting partial munmap()

Getting Cozy With 0:51:23

Getting Cozy With OpenBSM Auditing On MacOS - Patrick Wardle

The Hidden Treasure(s) 0:55:58

The Hidden Treasure(s) of Crash Reports

chill kernel hacking 2:30:08

chill kernel hacking for fun (week 43, assembly + userspace page fault)

Things not to 0:36:09

Things not to do when using an IOMMU | Ilja van Sprundel & Joseph Tartaro

Breaking VSM by 0:40:55

Breaking VSM by Attacking SecureKernel

Hacker101 - Native 0:27:54

Hacker101 - Native Code Crash Course

ToorCon XX — 0:44:19

ToorCon XX — UNIKERNEL APOCALYPSE: BIG TROUBLE IN RING 0 - Spencer Michaels & Jeff Dileo

Комментарии
Автор

Seriously one of the best channels on youtube. Thanks for the fantastic content!

eXNoah
Автор

Applying this technique to user space would truly be next level stuff!

Extys
Автор

I've never seen someone so happy about throwing stuff out :D
"cpu_setup()? Who needs it?!" "CPU detection? - mhhhhmmmm!"

Truly a great video about a cool concept.

winfrk
Автор

@Andreas Kling, you probably already know that and don't use it by purpose, but just in case:
CLion comes with a handy commit dialogue. You can just hit `Ctrl + K` to open it, and it will show you all the changed and unversioned files. You can also see the difference to before, just commit individual changes, or tell CLion to reformat your code or check todos before committing. `Ctrl + Shift + K` will then push the changes. (When I remember correctly, they changed the default dialogue to a non-modal window. I prefer the modal one, since it has more features `Settings > Version Control > Commit > [ ] Use non-modal commit interface` )

Btw. you make amazing videos! I learn a lot from them, and it's really inspiring to watch you code.

dzenanjupic
Автор

Im writing my own Kernel / OS too, and I appreciate your work, I have to find more ideas about this Security area too ... but my kernel main design principle is to generalize execution on any architecture / being portable / and have a component / database based approach in the whole system for the future ...

RegiJatekokMagazin
Автор

guy"s living the dream. i've settled only for a posix-complient compiler

wawamake
Автор

This video is super interesting, thanks for sharing Andreas!

BGroothedde
Автор

Hello Andreas, This is nice and fun. I can imagine it's fun for you (your team) to hear people saying that these security features play against them. I think it would also a great idea to make a version of the OS without these low level security features. This will gif you a littlest more work because you will need to patch/maintain two "stable" branches but will potentially make you OS more secure because you get more information about the security problems if someone manage to turn off this low level features. It makes you lets say an additional security layer. Like Apple (sorry for mentioning them :) ) does with tier a devices, they sent them to registraties security specialists with debug features enabled which make these device more vulnerable for security threads.

DJohn
Автор

Would it not be a good idea to integrate NEVER_INLINE into the UNMAP_AFTER_INIT macro? It feels like that would eliminate the chance that an inalienable function is marked UAI.

thislooksfun
Автор

This is such a brilliant idea. It makes you wonder if Linux or the BSDs do this as well. And if not, why?

mariocampos
Автор

boot.s sounded like 'boot that a##' :D, nice video 👍👍

MostafaGoher
Автор

This makes me wonder if there's some tool or CLion extension which would be able to tell you if a function was only called from functions marked with this new macro. Would make finding usages of code that shouldn't be called much easier

johnnic
Автор

Excellent videos! I really like your clear style! One question regarding the freed pages though: the unmapped KiB do not really correlate to freed memory (compared to the kernel version before this video), do they, since you forced the UNMAP_AFTER_INIT functions into separate pages in the first place? Anyway, I feel that user space programs could benefit from this technique, too, if only to reduce attack surface...

christiankuhl
Автор

I also wondered if that could be used in userland seeing that in c++ there is the once_flag. Although, do you want to kernel panic or just nop?

jonnoMoto
Автор

I'm curious how such security measures that prevent executing userspace memory will affect software which relies on a JIT of some kind? It seems with my limited knowledge that it rules them out entirely, is that the case?

ForLoveOfCats
Автор

I'm not sure whether you make the unmapped area available for regular allocation. If yes, I think you have problem printing the error message about accessing the unmap-after-init section of memory. Because that section no longer exists and is reused for normal allocation. Please correct me if I'm wrong or if I misunderstood something.

MarekKnapek
Автор

What keyboard do you use? Love your videos.

nonefvnfvnjnjnjevjenjvonej
welcome to shbcf.ru