Logan's Cybersecurity Journey

Some Background     When code is executed in the kernel it has more capabilities than code executed in user mode. This includes access to kernel data structures, access to the virtual address space of any process, and many other privileged abilities. When code is written to "trick" the kernel to perform an unethical action (often leading to privilege escalation) this is called a kernel exploit . In this post we'll be examining a famous kernel exploit known as "Dirty COW" which applies a race condition to a memory mapped file allowing a non-privileged user to modify a file that should be read only to them. Important Concepts to Refresh Pages     In operating systems memory is not handled in bytes at a time. Rather it is handled in the "unit of transfer" also known as pages. Pages are essentially "blocks of memory", typically 4KiB (4096 bytes) in size. Pages are used when referencing both virtual and physical memory. For this article, when talk...

    This is my first post in my series "Defending Attacks". In this series I will break down real world attacks, explaining how they occur, why they matter, and what you can do to protect yourself. Some initial thoughts     We like to think that we choose good passwords when we create new accounts. In some cases we choose passwords that are quite secure. In other cases we unfortunately do not. When it comes to password attacks the attacker has very little to lose, and a lot to gain. Poorly chosen passwords can lead to drastic outcomes such as an organization falling victim to ransomware, identity theft, and many other unpleasant situations. In this article I will cover what password attacks look like, distinguishing between a weak and strong password, as well as some additional defensive measures that can mitigate attacks.   What is a password attack?     A password attack is as simple as it sounds. For this article we will assume the attacke...

Entering the Kernel: In 4.4BSD one view of the kernel is that is provides services to user processes. Processes can directly access these services through system calls, though other actions such as division by 0 can also cause entry into the kernel via hardware trap. In total there are 3 main actions/events that cause entry into the kernel: Hardware Interrupt - asynchronous events that are not necessarily related to the context of the currently executing process. These might include I/O devices needing assistance. Hardware traps - asynchronous or synchronous events that are related to the currently executing process. One example would be invalid memory access. Software-Initiated Traps - an intentional software event that is used to ask for a specific kernel service to execute. Implementations vary, but the main idea the software explicitly reaches out to the kernel. System calls are one example, for instance the system call fork() will ask the kernel to create a child process. A ...