YoVDO

Exploiting Race Conditions Using the Scheduler

Offered By: Linux Foundation via YouTube

Tags

Conference Talks Courses Cybersecurity Courses Race Conditions Courses Kernel Exploitation Courses

Course Description

Overview

Explore how to exploit race conditions using the scheduler in this 34-minute conference talk by Jann Horn from Google. Delve into two specific bugs with narrow race windows in the Linux kernel and Android userspace code, and learn how they can be exploited on a Google Pixel 2 phone running Linux 4.4. Discover techniques involving unprivileged sched_*() syscalls, Translation Lookaside Buffer (TLB), mremap() for moving memory mappings, and fallocate() for file space allocation. Examine the exploit plan, including the buddy allocator, preemption, and scheduler control. Investigate the Android kernel exploit involving app-zygote interaction, userfaultfd, FUSE, and komp() for reliable UAF. Analyze priority inversion, major faults, and repeated file mapping faults. Gain insights into exploiting struct file refcount and race conditions in hwservicemanager_mutex on kernel 4.4.

Syllabus

Intro
Translation Lookaside Buffer (TLB)
mremap() moving a memory mapping
fallocate() (de)allocate space for a file
Exploit plan: Basics
Buddy allocator
Preemption
Scheduler control
Android kernel exploit (app - zygote)
userfaultfd and FUSE
komp() for reliable UAF
FUSE for exploiting struct file refcount
int getpidcon(pid t pid, char **context)
Bug 3: race condition in hwservicemanager
_mutex on kernel 4.4
Priority Inversion
Major faults
Repeated file mapping faults


Taught by

Linux Foundation

Tags

Related Courses

XNU Heap Exploitation - From Kernel Bug to Kernel Control
nullcon via YouTube
Kernel Exploitation with a File System Fuzzer
Hack In The Box Security Conference via YouTube
iOS 10 Kernel Heap Revisited
Hack In The Box Security Conference via YouTube
Swiping Through Modern Security Features
Hack In The Box Security Conference via YouTube
Turning - Page Tables - Bypassing Advanced Kernel Mitigations Using Page Tables Manipulations
BSidesLV via YouTube