For full text search please use the '?' prefix. e.g. ? Onboarding

What is the Kernel

Definition

  • Kernel is responsible for handling the processes' interaction with each other and with external resources

Kernel-Only Resources

  • hlt instruction: shuts CPU computation
  • in and out instructions for interacting with hardware peripherals
  • Special Registeres
    • cr3 (control register 3) controls the page table used to translate virtual addresses to physical addresses. Accessed using mov instruction.
    • MSR_LSTAR (Model-Specific Register, Long Syscall Target Address Register): defines where the syscall instruction jumps to. Accessed using wrmsr and rdmsr instructions.

Kernel Privilege Level

CPU tracks privilege level through the concept of rings. This is based on x86_64.

  • Ring 3: Userspace, where programs usually operate
    • Unable to interact with hardware directly, need to talk to ring 1, who talks to ring 0.
  • Ring 2: Generally not used - meant for drivers
  • Ring 1: Generally not used - meant for drivers
  • Ring 0: Kernel Space (unrestricted supervisor mode)

Kernel Rings

Operating ystem Models for Kernels

  • Monolithic Kernel - Single unifed binary that handles all OS-tasks
    • Linux, FreeBSD
  • MicroKernel - Tiny "core" binary that provides IPC and barebones interactions with hardware.
    • Drivers are normal-ish userspace programs with slightly special privilgges
    • Minux, SEL 4
  • Hybrid kernel - Microkernel features are combined with monolithic components
    • Windows, MacOS

This is relevant because all exploits with the kernel makes the attacker become the kernel.

Switching Between Rings - For x86_64 machines

  • Boot iun Ring 0. Sets MSR_LSTAR to point to the syscall routine handler
  • When a userspace process wants to interact with the kernel, it calls syscall
    • privilege level switches to ring 0
    • Control flow jumpsp to MSR_LSTRAR
    • Return address saved to rcx
      • Stack is unutrusted in this case
  • When the kernel is ready to return to userspace, it calls the appropriate return instruction sysreset for syscall
    • Privilege levell switches to ring 3
    • Control flow jumps to rcx

Kernel-Userspace Relationship

Userspace processes have their virtual memory at low addresses while kernelspace processes have their processes in high addresses.

System calls do NOT switch teh virtual memory mapping, but kernel memory is only accessible from Ring 0.

Kernel Vulnerabilities

Code in the kernel is just code! Most of the same vulnerability concepts apply! It is just running at a higher privilege level.

Attack Lifecycle

Kernel exploits come from a few directions:

  1. From the network: remotely triggered exploits (rare)
  2. From userspace: vulnerabilities in syscall in ioctl handlers (ie. launched from inside a sandbox)
  3. From devices: launch kernel exploits from attached devices such as USB harddware

Can achieve a number of things:

  1. Act on userspace: privilege escalation, rootkits
  2. Get more access to attack other parts of the system (ie. trusted execution environments)