PHD 12 Positive Hack Days
May 23–26, 2024, Moscow, Sirius

Talks at PHDays: Linux Kernel implants, HTTP request smuggling, and malware detection

There is less and less time before the international information security forum Positive Hack Days 10, which will be held from 20 to 21 May. The Standoff cyber-range is almost ready, red and blue teams are sending their requests, and we are currently designing the conference program.

This time PHDays will run three large conference tracks: defensive and offensive tracks, as well as business track that will discuss security influence on business. Today, we present first talks.

Linux kernel implants

Information security expert Ilya Matveychikov will tell about methods of creating a Linux kernel implant. During a 45-minute talk, Ilya will describe how it is possible to carry out a multipurpose kernel-implanting attack. The expert will also demonstrate real examples of implants in different version of x86 kernels.

HTTP request smuggling

Emil Lerner will tell about HTTP request smuggling, a technique that is widely used to attack reverse proxies. In recent years, information security researchers have made a number of discoveries. In particular, they have discovered new methods for detecting vulnerabilities and developed new methods of HTTP desync state exploitation.

During his talk, Emil will demonstrate the capabilities of the technique that appeared with the landing of HTTP/2 on frontend and HTTP/2—HTTP/1.1 conversion. Listeners will know how to detect reverse proxies vulnerable to the attack and what methods of automating such detection exist. Also, the expert will tell about possible attack vectors and the possible consequences of a successful attack.

Linux kernel fuzzing

Independent security researcher Andrey Konovalov will tell about Linux kernel fuzzing. Fuzzing is a way to automatically find bugs, transferring randomly generated data to program. Andrey will tell how to use fuzzing to detect errors in Linux kernel and what kernel interfaces can be fuzzed. He will briefly describe ready-to-use fuzzers, such as Trinity and syzkaller, but mainly will focus on writing code for fuzzer, generating inputs, and code coverage assembly.

Exploitation of vulnerability CVE-2021-26708 in Linux kernel

In January 2021, Linux kernel developer and security researcher at Positive Technologies Alexander Popov discovered and eliminated five vulnerabilities in Linux kernel virtual socket realization. These vulnerabilities were assigned an identifier CVE-2021-26708. In his report «4 bytes of power,» Alexander will talk in detail about exploitation of one of them for local privilege escalation on Fedora 33 Server for x86_64. The researcher will demonstrate how to gain control of the entire operating system with the help of a small memory access error, while bypassing the platform’s security tools.

Formal verification of operating system kernels

Oracle’s Principal Developer Denis Efremov will share his experience of participating in projects on formal verification and analysis of access control modules for Astra Linux SE and Elbrus kernels, as well as verification of the Contiki code (Operating system for IoT) within the European VESSEDIA program. The speaker will disclose details about the development of formal access control models (Rodin/Event-B) and code specifications (Frama-C/ACSL), the use of static and dynamic analyzers, and the inclusion of formal analysis into continuous verification. Other types of work that help meet the certification requirements will also be considered.

hat's all for today, follow the news on our website.