Written by akendo on 
3 minutes reading posted in Security
with tags: kernel 100daystooffload

Kernel Exploitation Part One

This post reflects my notes and additional thoughts about the first lecture about kernel exploitation of pwn.college[0]. Until a moment ago, I wanted to publish the notations altogether. However, this post contained already more information than I want to do in a day. Because I’m working on this post for three days now, I’ve decided to split it.

We’re going to define what a kernel is. To make it dead simple: a kernel is a piece of software that governs hardware. You can compare it to a government. Working with the kernel means moving into a different layer of abstraction.

Here I like to add a thought about this metaphor. It is useful but does not include voting. In this metaphor, you would be the voters and your vote for an operating system. However, often, once a OS was installed, it’s going to resist change.

What are external resources

I was wondering why he shows these assembler commands here. I guess that these instructions are widely used and should be understood therefore early. The hlt operation halts computation and should be only executed by the kernel.

The idea at its core is that only operation that relates to the hardware should here. Another sample is the in and out instruction that should get data from input or output. When we have LEDs, we want to address this often will be executed by such instruction. I mainly, however, had an embedded system without any form of a kernel.

cr3 is a control register[1] that is responsible for the page table. The word control implies here not only storing data but change the behavior of the CPU. It means that it helps to lookup memory addresses from virtual memory. We might be able to tinker with the memory layout when access is unrestricted here. Hence all of these instructions require higher privileges. Learning about these five keywords gave me the idea to test this instruction with a simple program. Something that I might do later.

The MSR_LSTAR is another register and It is responsible for syscalls, if I get this correctly.

Some comment to the word dichotomy, I knew it before, but it requires a bit of clarification. The words have a bit of a different meaning, depending on the language and context. In this specific case, the lecturer relates to a structure that opposes each other without a logical intersection. Program languages also have a dichotomy. C++ is an example in which the memory model consists of Stack and Heap. There is also the dichotomy fallacy and so on.

About 5:20, he asks: How do the kernel and CPU know who is allowed to execute a privileged instruction. My answer is that each process will have a mark or id that represents its access level. The CPU only executes a given instruction with kernel privileges when the access level is correct. For Linux this should be the id zero, I guess. But let’s see.

His answer overlaps quite well with mine.

so far,
akendo

[0] https://pwn.college/modules/kernel
[1] https://en.wikipedia.org/wiki/Control_register#CR3