Patchwerk: Kernel Patching for Fun and Profit

Presented at ShmooCon XV (2019), Jan. 20, 2019, noon (60 minutes).

With the proliferation of inexpensive IOT devices running insecure Linux kernels on corporate networks, maintaining secure infrastructure has become an almost impossible task; IOT device manufacturers seldom keep up with the latest disclosed vulnerabilities, and usually do not provide complete working source code. There are few viable solutions for network administrators to patch and maintain their devices. Efforts to create a standard of live patching capabilities have been proposed by Oracle’s ksplice, SuSE’s kGraft, RedHat’s kpatch, and even built into the 4.0 kernel as “livepatch.” Unfortunately all these solutions require capabilities to be pre-compiled into the kernel and present a host of other security concerns.

Based on hacker techniques as old as the mid-90’s, we have solved this problem by developing a tool suite for inspecting, compiling, and applying patches to vendor OEM Linux kernels as a means to patch vulnerabilities, instrument performance, and aid in reverse engineering efforts. Rather than requiring whole vendor-specific kernel source code, configs, and build chains, we provide the opportunity to patch vendor OEM Linux kernels with representative source code and cross-compilers. This allows us to hook functions before and after, replace functions, alter parameters passed to a function, alter return values, and much more.


Presenters:

  • Parker Wiksell
    Jewell Seay and Parker Wiksell (@pwiksell) are security researchers at Battelle Memorial Institute. Jewell was part of Legitimate Business Syndicate, host of DEF CON CTF for 4 years, and the author of the cLEMENCy architecture. Parker has over 20 years industry experience, with the last 8 being focused on security research. Last year, Parker presented on the AFL-Unicorn toolset at ShmooCon. When not geeking out on computers, Parker has been known to write the occasional musical composition professionally.
  • Jewell Seay
    Jewell Seay and Parker Wiksell (@pwiksell) are security researchers at Battelle Memorial Institute. Jewell was part of Legitimate Business Syndicate, host of DEF CON CTF for 4 years, and the author of the cLEMENCy architecture. Parker has over 20 years industry experience, with the last 8 being focused on security research. Last year, Parker presented on the AFL-Unicorn toolset at ShmooCon. When not geeking out on computers, Parker has been known to write the occasional musical composition professionally.

Links:

Similar Presentations: