Citations from academia and industry

Academia

Papers, theses and dissertations

• Snow, K. (2014). Identifying Code Injection and Reuse Payloads In Memory Error Exploits. Chapel Hill, NC: University of North Carolina at Chapel Hill Graduate School. https://doi.org/10.17615/jdde-8451
  • Approved by Provos, N. et al. Funded with National Science Foundation grant.
  • Full text: https://cdr.lib.unc.edu/concern/dissertations/5x21tg126
  • Subreption’s offensive security research on the Android platform is mentioned.

In light of the code reuse payload paradigm, whether return-oriented (Shacham, 2007), jump- oriented (Bletsch et al., 2011), or some other form of “borrowed code” (Krahmer, 2005), skilled adversaries have been actively searching for ever more ingenious ways to leverage memory disclosures as part of their arsenal (Sotirov and Dowd, 2008b; Serna, 2012a; VUPEN Security, 2012; Larry and Bastian, 2012).

• Dmitrienko, Alexandra (2015): SECURITY AND PRIVACY ASPECTS OF MOBILE PLATFORMS AND APPLICATIONS. Darmstadt, Technische Universität. Fraunhofer-Institut für Sichere Informationstechnologie (SIT).

  • https://tuprints.ulb.tu-darmstadt.de/4611/

• Desnoyers, M. (2011). “Knowledge Base Model for the Linux Kernel State of the Art and Feasibility Study”, DORSAL, l’École Polytechnique de Montréal.

  • https://www.dorsal.polymtl.ca/files/publications/2011/KnowledgeBaseModelLinuxKernel.pdf

• Ball, Justin R., “Detection and Prevention of Android Malware Attempting to Root the Device” (2014). Theses and Dissertations. 734. Air Force Institute of Technology.

  • URL: https://scholar.afit.edu/etd/734
  • DTIC: ADA600990 (https://apps.dtic.mil/sti/citations/ADA600990)

• Butti, L., & Tinnés, J. (2007). Discovering and exploiting 802.11 wireless driver vulnerabilities. Journal in Computer Virology, 4, 25-37.

  • https://link.springer.com/article/10.1007/s11416-007-0065-x
  • Subreption’s team early work on OS kernel vulnerabilities and wireless driver exploitation is mentioned.

• J. Rhee, R. Riley, Z. Lin, X. Jiang and D. Xu, “Data-Centric OS Kernel Malware Characterization,” in IEEE Transactions on Information Forensics and Security, vol. 9, no. 1, pp. 72-87, Jan. 2014, doi: 10.1109/TIFS.2013.2291964.

  • https://ieeexplore.ieee.org/abstract/document/6671356
  • https://www.cs.purdue.edu/homes/dxu/pubs/TIFS14.pdf
  • Subreption’s early OS kernel vulnerability research mentioned.

• Donghai Tian, Xiaoqi Jia, Junhua Chen, Changzhen Hu and Jingfeng Xue, “A practical online approach to protecting kernel heap buffers in kernel modules,” in China Communications, vol. 13, no. 11, pp. 143-152, Nov. 2016, doi: 10.1109/CC.2016.7781725.

  • https://ieeexplore.ieee.org/abstract/document/7781725
  • Subreption’s KERNHEAP (Linux kernel heap mitigations/hardening) is mentioned.

• Zheng Hao, Wang Endong, Wang Yinfeng, Zhang Xingjun, Chen Baoke, Wu Weiguo, and Dong Xiaoshe. 2013. Transparent driver-kernel isolation with VMM intervention. In Proceedings of the First ACM SIGOPS Conference on Timely Results in Operating Systems (TRIOS ‘13). Association for Computing Machinery, New York, NY, USA, Article 2, 1–16.

  • https://doi.org/10.1145/2524211.2524219
  • https://dl.acm.org/doi/abs/10.1145/2524211.2524219

Conferences

• “Treasure and Tragedy in kmem_cache Mining for Live Forensics Investigation”. Golden Richard, Andrew Case, Lodovico Marziale and Cris Neckar.
  • The Digital Forensic Research Conference, DFRWS 2010 USA Portland, OR (Aug 2nd - 4th).
  • https://dfrws.org/presentation/treasure-and-tragedy-in-kmem_cache-mining-for-live-forensics-investigation/
  • Slides: https://dfrws.org/sites/default/files/session-files/2010_USA_pres-treasure_and_tragedy_in_kmem_cache_mining_for_live_forensics_investigation.pdf
  • Paper: https://dfrws.org/sites/default/files/session-files/2010_USA_paper-treasure_and_tragedy_in_kmem_cache_mining_for_live_forensics_investigation.pdf
  • https://www.sciencedirect.com/science/article/pii/S1742287610000332

In a recent Phrack article (H L, 2009), the author describes in great detail the allocation and deal- location algorithms of all of the kernels allocators in a leadup to the description of his created kernel heap protection project, KERNHEAP, that is now part of the GrSecurity project. While describing these allocators, the kmem_cache facility is described as well as a short writeup on the sensitivity of data within the cache. Since this paper is attempting to deter reliable kernel exploitation under Linux, the author fears that the predictable, un-sanitized data within the caches could be used as static data to build a reliable exploit. He also mentions the existence of private information in other dynamic areas such as wireless keys, tty buffers, cryptographic information, and IPC.

• “Fast Byte-Granularity Software Fault Isolation”. Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Manuel Costa, Paul Barham, Richard Black. October 2009. Microsoft Research Cambridge, UK.

  • ACM Symposium on Operating Systems Principles (SOSP).
  • Paper: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/BGI-SOSP.pdf
  • KERNHEAP mentioned (as published in Phrack Magazine)

• K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen and A. Sadeghi, “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”, 2013 IEEE Symposium on Security and Privacy, 2013, pp. 574-588, doi: 10.1109/SP.2013.45.

  • https://ieeexplore.ieee.org/abstract/document/6547134
  • Subreption’s offensive security research on the Android platform is mentioned (defeating mitigations).

• Butti, L., & Tinnés, J. “Recherche de vulnerabilites dans les drivers 802.11 par techniques de fuzzing”. France Telecom R&D. Laboratoire Securit ́e des Services et Reseaux.

  • Symposium sur la Sécurité des Technologies de l’Information et des Communications 2007, École Supérieure et d’Application des Transmissions, 2007, 85-106.
  • http://195-154-171-95.rev.poneytelecom.eu/SSTIC07/WiFi_Fuzzing/SSTIC07-article-Butti_Tinnes-WiFi_Fuzzing.pdf
  • https://actes.sstic.org/SSTIC07/
  • Slides: https://actes.sstic.org/SSTIC07/WiFi_Fuzzing/SSTIC07-Butti_Tinnes-WiFi_Fuzzing.pdf

• K. Palani, E. Holt and S. Smith, “Invisible and forgotten: Zero-day blooms in the IoT” in 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops), Sydney, Australia, 2016 pp. 1-6. doi: 10.1109/PERCOMW.2016.7457163

  • https://www.computer.org/csdl/proceedings-article/percomw/2016/07457163/12OmNzRHONY
  • https://www.cs.dartmouth.edu/~sws/pubs/phs16.pdf
  • Subreption’s team early OS kernel vulnerability research mentioned: “A group of dedicated security researchers launched the “Month of Kernel Bugs” in November the same year”.

• Morris, J. Linux Kernel Security Overview. Kernel Conference Australia, Brisbane, 2009.

  • https://web.archive.org/web/20100715003313/http://namei.org/presentations/linux-kernel-security-kca09.pdf
  • Local archived copy:
  • KERNHEAP mentioned in slide/page 36: “Linux Kernel Heap Tampering Detection”

Industry

Subreption and its team have been featured in the works and publications of well-respected industry peers. This is a selection of industry-related publications mentioning our work.

• Rosenberg, D. (2012). “A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator”, Virtual Security Research, NCC Group.
  • https://research.nccgroup.com/wp-content/uploads/2020/09/VSR-slob-exploitation.pdf

Finally, this paper’s focus on attacks should provide insight for those interested in defending the kernel against heap exploitation. Projects such as Subreption’s KERNHEAP [9] provide a strong framework for implementing heap hardening, and future work should continue to refine these defensive techniques.

• Linux Kernel Exploitation, Earning Its Pwnie a Vuln at a Time, Jon Oberheide, SOURCE-10 conference. (http://jon.oberheide.org/files/source10-linuxkernel-jonoberheide.pdf)

  • KERNHEAP (along PaX and grsecurity) mentioned as protection against kernel heap-related vulnerabilities exploitation.

• H., L. “Linux Kernel Heap Tampering Detection”, Phrack Magazine, issue 66, article 15, 2009.

  • The original reference on Subreption’s early KERNHEAP/DYMASEC development.
  • http://phrack.org/issues.html?issue=66&id=15#article"

Report missing citations

If you have recently cited our work in an academic or industry context, or are aware of such a citation that is missing in this page, contact us for inclusion at .

Copyright of references

The works (“citations”) referenced herein belong exlusively to their rightful owners and copyright holders. Any trademarks belong to their respective owners and are referenced per nominative fair use rights.