Exploiting the Linux Kernel

Andrey Konovalov

Dates

September 28 – October 1, 2026

9:00 – 18:00

FULL PRICE

€ 4.000,00

EARLY BIRD PRICE

€ 3.600,00

Course objectives

Security-relevant Linux kernel internals and attack surface.
Kernel privilege escalation techniques.
Exploiting vulnerabilities in stack, global, and Slab (heap) memory.
Exploiting use-after-free and out-of-bounds vulnerabilities.
KASLR, SMEP, SMAP, and KPTI bypasses.
In-kernel Return-Oriented Programming (ROP).
Data-only kernel exploitation techniques.
Cross-cache and cross-allocator attacks.
Page table–based exploitation techniques.

Training outcomes

Advanced exploitation of kernel bugs in a modern Linux
Understanding of the kernel allocators’ internals
Modern slab (heap) exploitation techniques

About the trainer

Andrey Konovalov is a security researcher focusing on the Linux kernel.

Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact. Andrey contributed to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector; syzkaller — a widely-used kernel fuzzer; and Arm Memory Tagging Extension (MTE) — an exploit mitigation.

Andrey gave talks at many security conferences such as OffensiveCon, Zer0Con, Android Security Symposium, and Linux Security Summit. Andrey also maintains a collection of Linux kernel security–related materials and a channel on Linux kernel security.

See xairy.io for all of Andrey’s articles, talks, and projects.

Required skills

Working C knowledge.
Familiarity with x86-64 architecture and x86-64 assembly.
Familiarity with GDB.
Familiarity with common types of vulnerabilities and exploitation techniques for userspace applications.

No knowledge about Linux kernel internals is required.

What to bring?

Hardware Requirements

x86-64–based machine.
At least 100 GB of free disk space.
At least 16 GB of RAM.
Ability to plug in an untrusted USB drive (relevant for corporate laptops).

Software Requirements

Host OS: Linux (recommended) or Windows.
VMware Workstation Player or Pro.
7-Zip.

What will be provided?

A USB drive with:

Presentation slides.
Detailed lab guides with step-by-step instructions.
Virtual machine images with tools, exercise binaries, and source code.

CLASS SYLLABUS¹

Day 1 — Internals and exploitation basics:

Internals and debugging: x86-64 architecture refresher; security-relevant Linux kernel internals and attack surface; types of kernel vulnerabilities; setting up kernel debugging environment with VMware; using GDB to debug kernel and its modules.
Escalating privileges: ret2usr, overwriting cred structure, overwriting modprobe_path; control flow hijacking and arbitrary address read/write primitives.

Day 2 — Mitigation bypasses and basic Slab exploitation:

Bypassing mitigations: KASLR, SMEP, SMAP, and KPTI internals and bypass techniques; in-kernel Return-Oriented Programming (ROP).
Exploiting Slab corruptions: in-depth SLUB internals; exploiting Slab out-of-bounds and use-after-free vulnerabilities; Slab-specific mitigations; data-only exploitation techniques.

Day 3 — Classic Slab exploitation:

Exploiting more Slab corruptions: cache merging and accounting; hardened usercopy; elastic objects; msg_msg and pipe_buffer–based exploitation techniques.
Writing end-to-end exploit for N-day kernel vulnerability.

Day 4 — Modern Slab exploitation:

Cross-cache and cross-allocator attacks.
Page pointer corruptions; more pipe_buffer-based exploitation techniques.
Learning other advanced exploitation techniques; useful references.

Stretch content (covered on last day if have time left over, self-study otherwise):

Page table–based exploitation techniques.
Writing end-to-end exploit for another N-day kernel vulnerability.

¹ Schedule of lectures on the specified days may be subject to changes