I am proud to share that I was elected the Vice Chair of the RISC-V J-extension (so-called J-ext) Task Group 🙂 My last 3-4 years of work on the RISC-V architecture were quite fruitful:
- I am an author of RISC-V Pointer Masking extension:
https://github.com/riscv/riscv-j-extension/blob/master/zjpm-spec.pdf - I am one of the Contributors to RISC-V Control Flow Integrity (CFI):
https://github.com/riscv/riscv-cfi/blob/main/riscv-cfi.pdf - I help driving I/D consistency extension
- HWASAN and Memory Tagging (MTE) on RISC-V
- I found a critical bug in the RISC-V architecture (not in the implementation of a specific processor) that got CVE-2021-1104. Among other things, I talked about this vulnerability in 2021 at the DefCon 29 conference
Thanks,
Adam
16
Jun
Blind TCP/IP hijacking is still alive! After 13 years, Windows 7/XP/2K/9x (and not only) full blind TCP/IP hijacking bug finally got an allocated CVE-2023-34367 (thanks to MITRE). Interestingly, The Pwnie Awards nomination for this research and the published write-up + PoC didn’t help to get it sooner 😉
Read more17
May
At first, I didn’t plan to write an article about the problems with bug bounty programs. This was supposed to be a standard technical blogpost describing an interesting bug in the Linux Kernel i915 driver allowing for a linear Out-Of-Bound read and write access (CVE-2023-28410). Moreover, I’m not even into bug bounty programs, mostly because I don’t need to, since I consider myself lucky enough to have a satisfying, stable and well-paid job. That being said, in my spare time, apart from developing and maintaining the Linux Kernel Runtime Guard (LKRG) project, I still like doing vulnerability research and exploit development not only for my employer, and from time to time it’s good to update your resume with new CVE numbers. Before I started to have a stable income, bug bounties didn’t exist and most of the quality vulnerability research outcome was paying the bills via brokers (let’s leave aside the moral questions arising from this). However, nowadays we have bug bounty programs…
Read moreThis year I’m going to present some amazing research on:
- BlackHat 2021 – “Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)” – together with Alex Tereshkin and Alex Matrosov
Abstract: click here - DefCon 29 – “Glitching RISC-V chips: MTVEC corruption for hardening ISA” – together with Alex Matrosov
Abstract: click here
Both of them are really unusual and interesting topics 😉
If anyone is going to be in Las Vegas during BlackHat and/or DefCon this year and would like to grab a beer, just let me know!
Thanks,
Adam
During LKRG development and testing I’ve found 7 Linux kernel bugs, 4 of them have CVE numbers (however, 1 CVE number covers 2 bugs):
Read more24
Jan
Blind TCP/IP hijacking is still alive on Windows 7… and not only. This version of Windows is certainly one of the “juiciest” targets even though January 14th 2020 was the official EOL (End Of Life) for it. Based on various data Windows 7 holds around 25% share of the Operating Systems (OS) market and is still the world’s second most popular desktop operating system.
Read moreThe short story of broken KRETPROBES and OPTIMIZER in Linux Kernel.
During the LKRG development process I’ve found that:
- KRETPROBES are broken since kernel 5.8 (fixed in upcoming kernel)
- OPTIMIZER was not doing sufficient job since kernel 5.5
11
Sep
The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)
Name: Linux kernel Cgroup BPF Use-After-Free
Author: Adam Zabrocki (pi3@pi3.com.pl)
Date: May 27, 2020
15
May
CVE-2020-12826 is assigned to track the problem with Linux kernel which I’ve described in my previous post:
CVE MITRE described the problem pretty accurately:
A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. |
RedHat tracks this issue here:
https://bugzilla.redhat.com/show_bug.cgi?id=1822077
Debian here:
https://security-tracker.debian.org/tracker/CVE-2020-12826
Fix can be found here:
https://github.com/torvalds/linux/commit/7395ea4e65c2a00d23185a3f63ad315756ba9cef
What is interesting, the story of insufficient restriction of the exit signals might not be ended 😉
In short, the following patch reintroduces the same problem:
Best regards,
Adam
I’ve recently spent some time looking at ‘exec_id’ counter. Historically, Linux kernel had 2 independent security problems related to that code: CVE-2009-1337 and CVE-2012-0056.
Until 2012, ‘self_exec_id’ field (among others) was used to enforce permissions checking restrictions for /proc/pid/{mem/maps/…} interface. However, it was done poorly and a serious security problem was reported, known as “Mempodipper” (CVE-2012-0056). Since that patch, ‘self_exec_id’ is not tracked anymore, but kernel is looking at process’ VM during the time of the open().
In 2009 Oleg Nesterov discovered that Linux kernel has an incorrect logic to reset ->exit_signal. As a result, the malicious user can bypass it if it execs the setuid application before exiting (->exit_signal won’t be reset to SIGCHLD). CVE-2009-1337 was assigned to track this issue.
The logic responsible for handling ->exit_signal has been changed a few times and the current logic is locked down since Linux kernel 3.3.5. However, it is not fully robust and it’s still possible for the malicious user to bypass it. Basically, it’s possible to send arbitrary signals to a privileged (suidroot) parent process.
I’ve summarized my analysis and posted on LKML:
https://lists.openwall.net/linux-kernel/2020/03/24/1803
and kernel-hardening mailing list:
https://www.openwall.com/lists/kernel-hardening/2020/03/25/1
Btw. Kernels 2.0.39 and 2.0.40 look secure 😉
Thanks,
Adam