Ever thought of the program which saves your machine everytime from a catastrophe each time you get intentionally/unintentionally end up running an application which might cause havoc to your machine? Ever wondered who’s the one who’s taking care of the low level stuff on your machine like, monitoring the CPU calls, ordering your screen to display those engineered UI and other applications? The answer is: KERNEL.
A kernel is the core of an operating system which is super-boss of your system and controls everything from peripheral devices to processing the instructions which control your CPU. Some of the instructions which can only be executed by the kernel are:
- HLT : ultimately shutting down the CPU computation
- IN/OUT : used for interacting with hardware peripherals
- Controlling special registers like, MSR-LSTAR : MSR holds the value of the syscall to jump to
Also, just like the OS tracks the user ID of the user working in userspace, the CPU tracks the privilege level of the instruction which is executed. In other words, your CPU performs all the hardware stuff following the commands of the
kernel which is given the highest privilege level. So what are these privilege levels? There usually 4 important privilege levels (or
Rings ) which you should be knowing about. The number of rings might vary, but for brevity in this post we’ll be discussing only about the these 4 rings:
- Ring 3 : this is the privilege level given to the userspace programs. The current browser on which you are reading his post on is running with this privilege level.
- Ring 2 : if you want to load or read anything from a memory storage well it would fall under this privilege level.
- Ring 1 : this ring is used by the device drivers or interacting with the hardware
- Ring 0 : this is the highest privilege level which is where the kernel operates. If you are hack to this privilege level you can control the CPU cycles, shut down the fans and cause massive DESTRUCTION!
- Ring -1 : this is the hypervisor mode, used by the virtual machines to perform some operations.
Also, the userspace processes are allocated lower address in the virtual memory whereas the kernel processes are allocated the higher range of the memory address which can only be accessed in Ring 0.
Look through the ‘security-lens’
Well, all the privilege levels are something interesting if you look from a security-wise perspective. Now if there’s a highly critical bug in existing in the kernel code, we now know what price we might have to pay. An attacker could get their hands on the juiciest data on your machine or even leave it completely inoperable.
The reader might be familiar with the call graph or the basic block graph where each block basically depicts the control flow (the loops, the if-else paths and so on) of the code. If you look at the control flow graph of the kernel code, it would surely resemble an untamed ancient banyan tree in a rainforest! What I mean to convey through this layman’s analogy is that, the kernel code is so COMPLEX that it offers both: a site to explore the undiscovered loopholes and similarly making it really hard to discover those nasty loopholes. Anyway, moving ahead let’s discuss about the possibilities of attack vectors on the KERNEL.
- Packets of death: sending malicious packets through the network on which the machine is connected. Nowadays, as the network attacks are becoming really common, this way of attack can be still controlled or prevented.
- Userspace attack: Vulnerabilities in syscall and ioctl handlers could pave a way to attacks from the userspace. Heard about sandbox escape 😉 ?
- Connected devices: Attackers could launch kernel exploits from attached devices, like the USB connected devices or so on.
The aim of these attacks could be mainly to do a privilege escalation, plant rootkits, or attack other parts of the system. Whatever it is, kernel targeted attacks are highly critical to the overall security of a system and must never be taken lightly.
I have a very limited experience in this field and have tried to comprise my personal learning in this blog. If you have any comments do shoot them, ciao !