Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Oct 2016 19:14:55 +0800
From: Gengjia Chen <chengjia4574@...il.com>
To: keescook@...omium.org
Cc: kernel-hardening@...ts.openwall.com
Subject: Re: self introduction

> In your research have you seen a common kind of bug that results in
> the vulnerabilities you find?

No,
Most of those issues are caused by the lack of checking of  user input
length
in copy_xx_user functions or afterwards in memcpy functions,
however, looking into the details,
they vary among different functions in different files.

> Is there anything that would have
> significantly made exploitation more difficult in the things you
> worked on?

Yes!

I mostly exploit buffer overflow vulns by overwrite function pointers (such
as
pointers in file_operations) of a global object or a heap object
to redirect execution (and if PXN is enable, we simply use rop gadgets).
Therefore mitigation solutions of Function_pointer_overwrite
<https://kernsec.org/wiki/index.php/Exploit_Methods/Function_pointer_overwrite>
would
make such kind of exploitation much more diffcult.
But I don't know if you have let all the pointers "const".

Becsides, ret2dir is a common way to exploit  UAF vulns
so  I think solutions like XPFO is a way  to make
those kind of exploitation more diffcult.

Right now KALSR is still disable in most android devices,
so it is easy to get kernel symbol address,
however if KALSR is enable, it may make exploitation more diffcult.

> Are you interested mostly in ARM-specific things?

I am famillar with ARM-specific things mostly, but I can also accept
x86/x64 tasks.

> Are you interested in kernel-assisted userspace defenses too?

What dose that mean ?  something like seccomp ?

2016-10-13 6:31 GMT+08:00 Kees Cook <keescook@...omium.org>:

> On Tue, Oct 11, 2016 at 8:19 PM, Gengjia Chen <chengjia4574@...il.com>
> wrote:
> > Hi all,
>
> Hi, welcome!
>
> > My name is Jiayy (@chengjia4574). I am currently a security researcher in
> > android and linux kernel. My researches  consist on hunting
> vulnerabilities
> > in kernel code (most of them within drivers) and doing exploits using
> those
> > vulns.
> > I had found more than 40 vulnerabilities which were confirmed by Android
> > Security Team
> > in the past year. I also figured out some way to attack mitigation
> solutions
> > of kernel
> > (such as Bypass PXN).
>
> In your research have you seen a common kind of bug that results in
> the vulnerabilities you find? Is there anything that would have
> significantly made exploitation more difficult in the things you
> worked on?
>
> > Those works help me get familiar with the kernel(device tree, memory
> > management,
> > network , some features especially those associated with security such as
> > pxn, selinux, seccomp) and ARM instruction. However, it is not enough to
> get
> > involved in real security development in kernel. Therefore, I am looking
> for
> > task
> > I can accomplish to be involved into real kernel development!  Recently I
> > found
> > this project (kernel self protection) and I thought it is so interesting.
> >
> > I don't know whether I can involve and  where I can begin, I am looking
> > forward to
> > your response.
>
> Are you interested mostly in ARM-specific things? Are you interested
> in kernel-assisted userspace defenses too?
>
> -Kees
>
> --
> Kees Cook
> Nexus Security
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.