SKILL: Modern Kernel Exploit Mitigations

Metadata

• Skill Name: security-mitigations
• Folder: offensive-mitigations
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/mitigations.md

Description

Security mitigation reference and bypass catalog: ASLR, DEP/NX, RELRO, stack canaries, CFI, sandboxing, seccomp. Covers both detection of enabled mitigations and known bypass techniques. Use when assessing target hardening or planning exploit mitigation bypasses.

Trigger Phrases

Use this skill when the conversation involves any of: mitigations, ASLR bypass, DEP bypass, NX bypass, RELRO, stack canary bypass, CFI bypass, sandbox bypass, seccomp bypass, mitigation detection, checksec

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

Full Methodology

Modern Kernel Exploit Mitigations

Memory-safety & Isolation

Kernel Address Space Layout Randomization (KASLR)

• Randomizes memory addresses where the kernel and its components are loaded.
• Makes it difficult for attackers to predict kernel code and data locations.

Bypass Techniques

• Information Leaks: Exploiting vulnerabilities (e.g., uninitialized memory, side-channels) to leak kernel pointers and calculate the base address.
• Side-Channel Attacks: Using timing, cache, or other microarchitectural side channels to infer memory layout.
  • Prefetch Cache Timing: Measures access speed across the kASLR range (0xfffff80000000000 to 0xfffff80800000000, ~0x8000 iterations with 0x100000 alignment). The fastest access indicates a cached address, revealing the actual kernel base. Uses rdtscp for timing, mfence for memory barriers, and prefetchnta/prefetcht2 for cache manipulation.
• Targeting Non-Randomized Regions: Exploiting data or code segments that are not fully randomized.
• Brute-Force: Feasible in environments with limited entropy (e.g., some 32-bit systems or specific configurations).
• Intel LAM: Linear Address Masking support exists on recent kernels/CPUs but may be disabled by default. Verify with kernel config, boot params, and CPU flags on your target.

Kernel Page Table Isolation (KPTI)

• Linux:
  • Separates user-space and kernel-space page tables.
  • Mitigates the Meltdown vulnerability by preventing user-space access to kernel memory.

Bypass Techniques

• Side-Channel Attacks: Exploiting microarchitectural side channels (e.g., TLB timing, cache attacks) that leak information across the isolation boundary.
• Hardware Vulnerabilities: Exploiting CPU vulnerabilities (e.g., L1TF, MDS) that can bypass page table separation.
• Implementation Flaws: Bugs in the KPTI implementation itself.

Practitioner

• Linux: check status via /sys/devices/system/cpu/vulnerabilities/* and dmesg | grep -i kpti.
• Windows: verify meltdown/KVA shadowing with Get-SpeculationControlSettings PowerShell script from Microsoft.

Supervisor Mode Access Prevention (SMAP)

• Linux:
  • Hardware feature preventing unintended kernel access to user-space memory.
  • Protects against attacks exploiting improper memory accesses.

Bypass Techniques

• ROP/JOP Gadgets: Finding instruction sequences (gadgets) within kernel code that disable SMAP temporarily (e.g., via stac instruction) before accessing user memory.
• Data-Only Attacks: Attacks that achieve their goal without directly accessing user-space data from the kernel inappropriately.
• Kernel Information Leaks: Combining with KASLR bypasses to find suitable gadgets.

Practitioner

• Linux: confirm with grep smap /proc/cpuinfo and cat /proc/cpuinfo | grep 'smep\|smap'.
• Check CR4 at runtime with rdmsr/wrmsr tools or lscpu -e on supported systems.

Supervisor Mode Execution Protection (SMEP)

• Linux/Windows:
  • Hardware feature preventing execution of user-space code when in supervisor mode.
  • Located in bit 20 of the CR4 control register.
  • Blocks certain privilege escalation attacks that rely on executing shellcode in user-mode memory.

Bypass Techniques

• ROP/JOP Chains: Constructing code reuse chains entirely from existing kernel code, avoiding execution of user-space code.
• Data-Only Attacks: Exploiting vulnerabilities without needing to execute shellcode (e.g., overwriting kernel data structures).
• Disabling SMEP: Finding gadgets or techniques to modify the CR4 control register to disable SMEP.
• Type Confusion Exploits: Using type confusion vulnerabilities to gain control flow and build ROP chains for SMEP bypass.
• Page Table Manipulation: Modifying page table entries (PTEs) to change user pages to supervisor pages, making user-space code executable in kernel context.
• Write-What-Where Primitives: Using arbitrary write vulnerabilities to modify CR4 register or page table structures.

Practitioner

• Linux: grep smep /proc/cpuinfo; verify effective state via dmesg | grep -i smep.
• Windows: SMEP is enforced when Memory Integrity/HVCI is enabled on modern systems.

Kernel Data Protection (KDP)

• Windows:
  • Marks certain kernel memory regions as read-only.
  • Prevents unauthorized modification of critical kernel data structures.

Practitioner

• Check with Get-CimInstance -ClassName Win32_DeviceGuard and System Information → Device Guard properties for KDP/HVCI/VBS.

Memory Integrity (Core Isolation)

• Windows:
  • Uses virtualization and HVCI to prevent malicious code alteration.
  • Guards against code injection or execution in kernel mode.

Practitioner

• Enable/verify: Windows Security → Device Security → Core isolation details.
• PowerShell: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity | Select-Object Enabled.

Read-Only Data Sections (RODATA)

• Linux:
  • Marks specific kernel memory regions as read-only.
  • Prevents modification of critical data structures and code.

Hardened Usercopy

• Linux:
  • Adds boundary checks to memory copy operations between user and kernel space.
  • Prevents buffer overflows and memory corruption during copy operations.

Memory Tagging Extension (MTE)

• Linux (ARM):
  • Hardware-assisted memory safety feature to detect memory corruption bugs.
  • Mitigates use-after-free and buffer overflows at a hardware level.
  • Adopted as a production security feature in Android 16 (March 2025) with both asynchronous and synchronous detection modes available for apps.

How MTE Works

• 4-bit Tags: Each 16-byte memory allocation receives a random 4-bit tag (values 0-15)
• Pointer Tagging: Upper bits of pointers store the allocation tag
• Tag Checking: Hardware validates pointer tag matches memory tag on every dereference
• Fault on Mismatch: Invalid access triggers SIGSEGV (sync mode) or logs asynchronously (async mode)

Bypass Techniques

• Tag Collision (Probabilistic): With only 4-bit tags (16 possible values), collision probability is high
  • Increase entropy with larger allocation pools; Android 16 uses tag rotation heuristics.
• Untagged Memory Regions: Not all memory is MTE-protected
  • Enable MTE on stack via prctl(PR_MTE_TCF_SYNC, PR_TAGGED_ADDR_ENABLE).
• Asynchronous Mode Exploitation: Android's async mode delays fault reporting for performance
  • Use synchronous mode (MTE_mode=sync) for security-critical apps.
• Integer Overflow in Tag Calculation: MTE tags are derived from allocation size; overflow can corrupt tags
• Kernel-Space Bypass: MTE only protects userspace by default
  • Kernel allocations (kmalloc, vmalloc) don't use MTE (Android 16, Linux 6.8)