The first (v1.0.0) version of out-of-tree, a toolkit for developing and testing exploits and Linux kernel modules, has been released.
out-of-tree allows you to automate some routine actions for creating environments for debugging kernel modules and exploits, generating exploit reliability statistics, and also provides the ability to easily integrate into CI (Continuous Integration).
Each kernel module or exploit is described by the .out-of-tree.toml file, which contains information about the necessary environment and (in case it is an exploit) about restrictions on work in the presence of certain security measures (security mitigations).
The toolkit also allows you to determine specific kernel versions affected by a vulnerability (using the --guess command), and can also be used to simplify binary search for a specific commit.
The following is a list of changes since version v0.2.
Posted
-
Implemented the ability to limit the number of generated (out-of-tree kernel autogen) kernels (based on the description in .out-of-tree.toml) and check runs (out-of-tree pew) using the --max=X parameter.
-
New genall command to generate all kernels for a specific distribution and version.
-
All logs are now stored in the sqlite3 database. Implemented commands for simple frequently needed queries, as well as data export to json and markdown.
-
Implemented the calculation of the probability of successful operation (based on previous launches).
-
Ability to save build results (new --dist option for out-of-tree pew command)
-
Support for generating metadata for kernels installed on the host system, as well as building directly on the host.
-
Support for third-party kernels.
-
Now the debug environment (out-of-tree debug) automatically looks for debug symbols on the host system.
-
Added the ability to manage security mitigations by enabling/disabling KASLR, SMEP, SMAP, and KPTI flags during debugging.
-
Added the --threads=N parameter to the out-of-tree pew test launch command, with which you can specify the number of threads in which the build/run and test of exploits and kernel modules will be performed.
-
The ability to set a tag that will be written to the log and then can be used to calculate statistics.
-
Added the ability to specify the kernel version without using regular expressions.
-
New pack command used to bulk test exploits and kernel modules in subdirectories.
-
In the configuration (.out-of-tree.toml) for the exploit and the kernel module, the ability to disable KASLR, SMEP, SMAP and KPTI, as well as specify the required number of cores and memory, has been added.
-
Now images (rootfs) are loaded automatically during kernel autogen. bootstrap is no longer needed.
-
Support for CentOS kernels.
Changes
-
Now, if there is no image (rootfs) for the required version of the distribution, out-of-tree will try to use the image of the closest version. For example, an Ubuntu 18.04 image for Ubuntu 18.10.
-
Now tests for kernel modules will not fail if they are missing (no tests, no bugs!).
-
Now out-of-tree will return a negative error code if at least one stage (build, run or test) on any of the cores was completed with an error.
-
The project has switched to using Go modules, building with GO111MODULE=on is now preferred.
-
Added default tests.
-
Now test.sh will be used by default if the build in ${TARGET}_test is not implemented in the Makefile.
-
The kernel log is no longer cleared before running a kernel module or exploit. Some of the exploits use a kernel base leak in dmesg to bypass KASLR, so the cleanup can break the implemented logic of the exploit.
-
qemu/kvm now uses the full capabilities of the host processor.
Removed
-
Core Factory removed completely due to the implementation of kernel generation based on incrementally updated Dockerfiles.
-
bootstrap doesn't do anything else. The command will be removed in the next release.
Fixed
-
On macOS, GNU coreutils is no longer required to run.
-
Temporary files moved to ~/.out-of-tree/tmp/ due to mounting errors inside docker on some systems.
Source: linux.org.ru