Infosec In the City (IIC)
Linux-Kernel Research For Kernel-Newcomers: Where To Start From? — by Ron Munitz
#IICSG2019 Conference Workshop Track
Day 1 (19 Jun 2019)
@ Breakout Room 3
[#IICSG2019 Conference Full Schedule]
In this workshop, we will give you the tools, and invaluable tips to start your Linux kernel research.
The Linux kernel is as you can probably imagine huge, and open-source. This has the advantage that you don't need to reverse engineer the entire universe to get to know what is going on (with the exception of binary blobs, customizations, additions, etc, but this is not a GPL legal class, although we will address it).
Unfortunately, it also has the disadvantage that when you have so much information at the tip of your hand and don't know how to handle it, even the simplest development (not to mention research) task may be unbearably overwhelming, and indeed, getting into kernel development, and security research is challenging and sometimes frightening.
The objective of this hands-on workshop, which will naturally be on a very fast pace compared to our full-day respective training is to give you the toolkit to achieve the following tasks:
Understand to some extent what is where in the Linux kernel source code
Understand how to configure and build the kernel
Assemble and run a minimal working, and debuggable Linux distro on a VM (KVM/QEMU) — and understand the boot process, and concepts of ramdisk, rootfs and the init process
Understand how to "inject new kernel code" by building and loading a loadable kernel module (LKM)
Understand kernel debugging mechanisms, basic forensics (kindly exposed to userspace by virtual filesystems) and how to get arbitrary read/write primitives (and what are the page access restrictions and tips on subverting them)
Understand the motivation for some of the security mechanisms in some versions of the kernel (which is great if you need to research kernels that don't have them)
Understand what are some of the latest and greatest security measures and where they are implemented (Kernel >= 5.1-rc3 at the time of writing the abstract writing - we will discuss whatever the mainline kernel is at the time of the workshop (probably 5.1 or 5.2) )
Understand as much as possible how to achieve common "OS Internals" tasks.
[Understand how to get some more information, and how to trace]
[Understand how to quickly build and research packages using Yocto Project]
While this is quite ambitious for a couple of hours, we guarantee that by following along, you will have a very good idea of what you want to spend your initial research efforts on.
You will enjoy it also if you just watch and listen — you do not have to participate
HOWEVER, we are happy to have people participating and doing what we do with us, so we will be happy to provide you with setup instructions and a VM (but we will not provide any technical support for it), and for this, you would be required to send an email to ron [at] thepscg [dot] com, specifying "#IICSG2019 kernel_research_quickstart" in the subject line, and also telling us what you would be happy to hear about in the class — we like to know our attendees!). You would have to use a Google account, so if you come from China, solve it somehow.
The items in "" are optional, and we will most probably just demo them, given the huge size of the Yocto Project's state-cache downloads and build directories, and the time. It is a nice bonus though, and you will get everything you need to get started and save weeks with everything discussed prior to that.
Pace will be fast, and the terminal is king. Be warned ( ;-) ).