Pull requests are welcome.
2014: "Android Hacker's Handbook" by Joshua J. Drake
2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani
2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop]
2020: "Structures that can be used with Kernel Exploit" [article]
2020: "Linux Kernel Stack Smashing" by Silvio Cesare [article]
2020: "Structures that can be used in kernel exploits" [article]
2019, Black Hat Europe: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen [slides] [code]
2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing [slides] [paper]
2019, Linux Security Summit EU: "Exploiting Race Conditions Using the Scheduler" by Jann Horn [slides] [video]
2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities" [slides] [video] [paper]
2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park [slides]
2018: "FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities" [slides] [paper]
2018: "Linux Kernel universal heap spray" by Vitaly Nikolenko [article]
2018: "Linux-Kernel-Exploit Stack Smashing" [article]
2018: "Entering God Mode - The Kernel Space Mirroring Attack" [article]
2018, HitB: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong [slides]
2018: "linux kernel pwn notes" [article]
2018: "Use of timer_list structure in linux kernel exploit" [article]
2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune [video]
2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune [slides]
2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune [paper]
2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba [paper]
2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko [video]
2017: "The Stack Clash" by Qualys Research Team [article]
2017: "New Reliable Android Kernel Root Exploitation Techniques" [slides]
2017: "Breaking KASLR with perf" by Lizzie Dixon [article]
2017: "Linux kernel exploit cheetsheet" [article]
2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko [article]
2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko [article]
2016, Ruxcon: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko [slides]
2016: "Using userfaultfd" by Lizzie Dixon [article]
2016, DEF CON 24: "Direct Memory Attack the Kernel" by Ulf Frisk [video]
2016, MOSEC 2016: "Talk is cheap, show me the code" by Keen Lab [slides]
2016, Black Hat: "Randomization Can't Stop BPF JIT Spray" by Elena Reshetova [slides] [video] [paper]
2015: "Kernel Data Attack is a Realistic Security Threat" [paper]
2015: "From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel" [paper]
2015: "Linux Kernel Exploitation" by Patrick Biernat [slides]
2013, Black Hat USA: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation"
2013: "Exploiting linux kernel heap corruptions" by Mohamed Channam [article]
2012: "Writing kernel exploits" by Keegan McAllister [slides]
2012: "Understanding Linux Kernel Vulnerabilities" by Richard Carback [slides]
2012: "A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator" by Dan Rosenberg [paper]
2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister [article]
2012: "The Linux kernel memory allocators from an exploitation perspective" by Patroklos Argyroudis [article]
2012: "The Stack is Back" by Jon Oberheide [slides]
2012: "Stackjacking" by Jon Oberheide and Dan Rosenberg [slides]
2011: "Stackjacking Your Way to grsec/PaX Bypass" by Jon Oberheide [article]
2010: "Much ado about NULL: Exploiting a kernel NULL dereference" [article]
2010: "Exploiting Stack Overflows in the Linux Kernel" by Jon Oberheide [article]
2009, CanSecWest: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes [slides]
2007: "Kernel-mode exploits primer" by Sylvester Keil and Clemens Kolbitsch [paper]
2007, Phrack: "Attacking the Core : Kernel Exploiting Notes" [article]
2007: "The story of exploiting kmalloc() overflows" [article]
2007: "Linux 2.6 Kernel Exploits" by Stephane Duverger [slides]
2005, CancSecWest: "Large memory management vulnerabilities" by Gael Delalleau [slides]
2005: "The story of exploiting kmalloc() overflows" [article]
2019: "CVE-2018-3639 / CVE-2019-7308—Analysis of Spectre Attacking Linux Kernel ebpf" [article, CVE-2018-3639, CVE-2019-7308]
2019: "From IP ID to Device ID and KASLR Bypass (Extended Version)" [paper]
2018: "Kernel Memory disclosure & CANVAS Part 1 - Spectre: tips & tricks" [article, Spectre]
2018: "Kernel Memory disclosure & CANVAS Part 2 - CVE-2017-18344 analysis & exploitation notes" [article, CVE-2017-18344]
2018: "Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem" by Andrey Konovalov [announcement, CVE-2017-18344]
2017: "Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer" by Alexander Potapenko [announcement, CVE-2017-1000380]
2017: "The Infoleak that (Mostly) Wasn't" by Brad Spengler [article, CVE-2017-7616]
2016: "Exploiting a Linux Kernel Infoleak to bypass Linux kASLR" [article]
2010: "Linux Kernel pktcdvd Memory Disclosure" by Jon Oberheide [article, CVE-2010-3437]
2009: "Linux Kernel x86-64 Register Leak" by Jon Oberheide [article, CVE-2009-2910]
2009: "Linux Kernel getname() Stack Memory Disclosures" by Jon Oberheide [article, CVE-2009-3001]
2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong [slides, CVE-2019-10567] [paper]
2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou [article, CVE-2020-0041]
2020, THCON: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou [slides, CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041]
2020: "Exploiting CVE-2020-0041 - Part 2: Escalating to root" by Eloi Sanfelix and Jordan Gruskovnjak [article, CVE-2020-0041]
2020, OffensiveCon: "A bug collision tale" by Eloi Sanfelix [slides, CVE-2019-2025] [video]
2020: "CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification" by Manfred Paul [article, CVE-2020-8835]
2020: "Mitigations are attack surface, too" by Jann Horn [article]
2020: "CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem" by Alexander Popov [article, CVE-2019-18683] [slides]
2020: "Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices" by Tamir Zahavi-Brunner [article, CVE-2019-14040, CVE-2019-14041]
2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone [article, CVE-2019-2215]
2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)" [article, CVE-2019-2215]
2019: "Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)" [video, CVE-2019-2215]
2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis" [article, CVE-2019-2215]
2019, Linux Security Summit EU: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen [video, CVE-2017-16995, CVE-2017-10661]
2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez [article, CVE-2019-2215]
2019: "Android: Use-After-Free in Binder driver" [announcement, CVE 2019-2215]
2019: "From Zero to Root: Building Universal Android Rooting with a Type Confusion Vulnerability" by Wang Yong [slides, CVE-2018-9568]
2019: "Android Binder: The Bridge To Root" by Hongli Han and Mingjian Zhou [slides, CVE-2019-2025]
2019: "The ‘Waterdrop’ in Android: A Binder Kernel Vulnerability" by Hongli Han [article, CVE-2019-2025]
2019: "An Exercise in Practical Container Escapology" by Nick Freeman [article, CVE-2017-1000112]
2019: "Taking a page from the kernel's book: A TLB issue in mremap()" by Jann Horn [article, CVE-2018-18281]
2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel" [article]
2019: "Analysis of Linux xfrm Module Cross-Border Read-Write Escalation Vulnerability (CVE-2017-7184)" [article, CVE-2017-7184]
2019: "Analysis of Escalation Vulnerability Caused by Integer Extension of Linux ebpf Module (CVE-2017-16995)" [article, CVE-2017-16995]
2019: "Linux kernel 4.20 BPF integer overflow vulnerability analysis" [article]
2018: "Linux kernel 4.20 BPF integer overflow-heap overflow vulnerability and its exploitation" [article]
2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation [article, CVE-2017-11176]
2018: "A cache invalidation bug in Linux memory management" by Jann Horn [article, CVE-2018-17182]
2018, beVX: "Dissecting a 17-year-old kernel bug" by Vitaly Nikolenko [slides, CVE-2018-6554, CVE-2018-6555]
2018: "SSD Advisory – IRDA Linux Driver UAF" [article, CVE-2018-6554, CVE-2018-6555]
2018: "Integer overflow in Linux's create_elf_tables()" [announcement, CVE-2018-14634]
2018: "MMap Vulnerabilities – Linux Kernel" [article, CVE-2018-8781]
2018: "Ubuntu kernel eBPF 0day analysis" [article, CVE-2017-16995]
2018: "eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995" [article, CVE-2017-16695]
2017: "Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch" by Andrey Konovalov [announcement, CVE-2017-1000112]
2017: "Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112" by Krishs Patil [article, CVE-2017-1000112]
2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels" [article, CVE-2017-1000112]
2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen [slides, CVE-2017-0403, CVE-2016-6787] [video]
2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls [article, CVE-2017-5123]
2017: "Exploiting CVE-2017-5123" by Federico Bento [article, CVE-2017-5123]
2017: "Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira [article, CVE-2017-5123]
2017: "LKE v4.13.x - waitid() LPE" by HyeongChan Kim [article, CVE-2017-5123]
2017: "Exploiting on CVE-2016-6787" [article, CVE-2016-6787]
2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [video, CVE-2017-2636]
2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [slides, CVE-2017-2636]
2017: "CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP" by Alexander Popov [article, CVE-2017-2636]
2017: "CVE-2017-2636: local privilege escalation flaw in n_hdlc" by Alexander Popov [announcement, CVE-2017-2636]
2017: "Dirty COW and why lying is bad even if you are the Linux kernel" [article, CVE-2016-5195]
2017: "NDAY-2017-0103: Arbitrary kernel write in sys_oabi_epoll_wait" by Zuk Avraham [article, CVE-2016-3857]
2017: "NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver" by Zuk Avraham [article, CVE-2016-2434]
2017: "PWN2OWN 2017 Linux kernel privilege escalation analysis" [article, CVE-2017-7184]
2017: "Exploiting the Linux kernel via packet sockets" by Andrey Konovalov [article, CVE-2017-7308]
2017: "NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Drive" by Zuk Avraham [article, CVE-2016-2411]
2017: "NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver" by Zuk Avraham [article, CVE-2016-2435]
2017: "CVE-2017-6074: DCCP double-free vulnerability (local root)" by Andrey Konovalov [announcement, CVE-2017-6074]
2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson [announcement, CVE-2016-8655]
2016, Black Hat: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang [slides, CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453]
2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu [slides, CVE-2015-1805]
2016: "CVE-2016-3873: Arbitrary Kernel Write in Nexus 9" by Sagi Kedmi [article, CVE-2016-3873]
2016, Project Zero: "Exploiting Recursion in the Linux Kernel" by Jann Horn [article, CVE-2016-1583]
2016: "ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)" By Perception Point Research Team [article, CVE-2016-0728]
2016: "CVE20160728 Exploit Code Explained" by Shilong Zhao [article, CVE-2016-0728]
2016: "CVE-2016-0728 vs Android" by Collin Mulliner [article, CVE-2016-0728]
2016: "Notes about CVE-2016-7117" by Lizzie Dixon [article, CVE-2016-7117]
2016: "CVE-2016-2384: exploiting a double-free in the usb-midi linux kernel driver" by Andrey Konovalov [article, CVE-2016-2384]
2016: "CVE-2016-6187: Exploiting Linux kernel heap off-by-one" by Vitaly Nikolenko [article, CVE-2016-6187]
2016: "CVE-2014-2851 group_info UAF Exploitation" by Vitaly Nikolenko [article, CVE-2014-2851]
2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu [slides, CVE-2016-0819]
2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu [video, CVE-2016-0819]
2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES" [article, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]
2016, DEF CON: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld [slides, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]
2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini [article, CVE-2014-4322]
2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk [article, CVE-2014-9322]
2015: "Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322)" by Adam Zabrocki [article, CVE-2014-9322]
2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu [whitepaper, CVE-2015-3636]
2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu [slides, CVE-2015-3636]
2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu [video, CVE-2015-3636]
2015: "When is something overflowing" by Keen Team [slides]
2015, Project Zero: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien [article, rowhammer]
2015: "CVE-2014-4943 - PPPoL2TP DoS Analysis" by Vitaly Nikolenko [article, CVE-2014-4943]
2015: "CVE-2015-0568: Use-After-Free Vulnerability in the Camera Driver of Qualcomm MSM 7x30" [article, CVE-2015-0568]
2014: "Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC" by Samuel Gross [article, CVE-2014-0196]
2014: "CVE-2014-4014: Linux Kernel Local Privilege Escalation "exploitation"" by Vitaly Nikolenko [article, CVE-2014-4014]
2014: "CVE-2014-4699: Linux Kernel ptrace/sysret vulnerability analysis" by Vitaly Nikolenko [article, CVE-2014-4699]
2014: "How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038" by Samuel Gross [article, CVE-2014-0038]
2014: "Exploiting the Futex Bug and uncovering Towelroot" [article, CVE-2014-3153]
2014: "CVE-2014-3153 Exploit" by Joel Eriksson [article, CVE-2014-3153]
2013: "Privilege Escalation Kernel Exploit" by Julius Plenz [article, CVE-2013-1763]
2013: "A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)" by Joe Damato [article, CVE-2013-2094]
2012: "Linux Local Privilege Escalation via SUID /proc/pid/mem Write" by Jason Donenfeld [article, CVE-2012-0056]
2011, DEF CON 19: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook [slides, CVE-2010-2963]
2011, DEF CON 19: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook [video, CVE-2010-2963]
2010: "CVE-2010-2963 v4l compat exploit" by Kees Cook [article, CVE-2010-2963]
2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk [article, CVE-2010-2240]
2010: "CVE-2010-4258: Turning Denial-of-service Into Privilege Escalation" by Nelson Elhage [article, CVE-2010-4258]
2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage [article, CVE-2007-4573]
2010: "Linux Kernel CAN SLUB Overflow" by Jon Oberheide [article, CVE-2010-2959]
2010: "af_can linux kernel overflow" by Ben Hawkes [article, CVE-2010-2959]
2010: "linux compat vulns (part 1)" by Ben Hawkes [article, CVE-2010-3081]
2010: "linux compat vulns (part 2)" by Ben Hawkes [article, CVE-2010-3301]
2010: "Some Notes on CVE-2010-3081 Exploitability" [article, CVE-2010-3081]
2010: "Anatomy of an exploit: CVE-2010-3081" [article, CVE-2010-3081]
2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage [article, CVE-2010-4258]
2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)" [article, CVE-2009-2692]
2009: "Even when one byte matters" [article, CVE-2009-1046]
2009: "CVE-2008-0009/CVE-2008-0010: Linux kernel vmsplice(2) Privilege Escalation" [article, CVE-2008-0009, CVE-2008-0010]
2008: "vmsplice(): the making of a local root exploit" by Jonathan Corbet [article, CVE-2008-0600]
2004: "Linux kernel do_mremap VMA limit local privilege escalation vulnerability" [article, CVE-2004-0077]
2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini [article, CVE-2017-0569]
2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks" [whitepaper, CVE-2017-1000251]
2016: "CVE Publication: CVE 2016-8633" by Eyal Itkin [article, CVE-2016-8633]
2011, DEF CON 19: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" [slides, CVE-2011-1493]
2011, DEF CON 19: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" [video, CVE-2011-1493]
2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story" [article, CVE-2009-0065]
2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki [article]
2020: "The never ending problems of local ASLR holes in Linux" [article, CVE-2019-11190]
2019: "Reverse-engineering Broadcom wireless chipsets" by Hugues Anguelkov [article, CVE-2019-9503, CVE-2019-9500]
2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis" [article, CVE-2019-2000]
2019: "Linux: virtual address 0 is mappable via privileged write() to /proc/*/mem" [article, CVE-2019-9213]
2019: "CVE-2019-9213 - Analysis of Linux Kernel User Space 0 Virtual Address Mapping Vulnerability" [article, CVE-2019-9213]
2018: "IOMMU-resistant DMA attacks" by Gil Kupfer [thesis]
2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection" [article, CVE-2017-1000363]
2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass" [article, CVE-2016-10277]
2015: "Vulnerability in the Linux Crypto API that allows unprivileged users to load arbitrary kernel modules" by Mathias Krause [annnouncement]
2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko [article]
2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs" [paper]
2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare [article]
2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare [article]
2020: "PAN: Another day, another broken mitigation" by Siguza [article]
2019, POC: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You [slides]
2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini [article]
2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric" [article]
2016, KIWICON: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko [slides]
2016: "Micro architecture attacks on KASLR" by Anders Fogh" [article]
2016, Black Hat USA: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim [slides]
2016, Black Hat USA: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim [video]
2016: "Breaking KASLR with micro architecture" by Anders Fogh [article]
2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini [article]
2014, Black Hat Europe: "ret2dir: Deconstructing Kernel Isolation" by Vasileios Kemerlis [video]
2013: "A Linux Memory Trick" by Dan Rosenberg [article]
2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg [article]
2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)" [article]
2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki [slides]
2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov [slides] [video]
2020, Linux Plumbers: "Following the Linux Kernel Defence Map" by Alexander Popov [slides] [video]
2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov [slides] [video]
2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler [slides] [video]
2020, linux.conf.au: "Control Flow Integrity in the Linux Kernel" by Kees Cook [slides] [video]
2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel" [paper]
2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa [video]
2019: "security things in Linux vX.X" by Kees Cook [articles]
2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento [thesis]
2019: "Kernel Self-Protection Project" by Kees Cook [slides]
2019: "Touch but don’t look - Running the Kernel in Execute-only memory" by Rick Edgecombe [slides]
2019: "Breaking and Protecting Linux Kernel Stack" by Elena Reshetova [video]
2019: "Making C Less Dangerous in the Linux Kernel" by Kees Cook [slides]
2019: "Mitigation for the Kernel Space Mirroring Attack (内核镜像攻击的缓解措施)" [article]
2018: "The State of Kernel Self Protection" by Kees Cook [slides]
2018: "Android Kernel Control Flow Integrity Analysis (分析)" [article]
2018: "Overview and Recent Developments: Kernel Self-Protection Project" by Kees Cook [slides]
2018, CONFidence: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam "pi3" Zabrocki [slides, video]
2018: "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM" [paper]
2018, BlackHat: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse" [video]
2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels" [paper]
2018, Linux Conf AU: "The State of Kernel Self Protection" by Kees Cook [slides]
2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse" [paper]
2017, Linux Piter: "How STACKLEAK improves Linux kernel security" by Alexander Popov [slides]
2017, HitB: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han [slides]
2017: "Towards Linux Kernel Memory Safety" [paper]
2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel" [slides]
2017: "Linux Kernel Self Protection Project" by Kees Cook [slides]
2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables" [paper]
2017: "KASLR is Dead: Long Live KASLR" [paper]
2016: "Thwarting unknown bugs: hardening features in the mainline Linux kernel" by Mark Rutland [slides]
2016: "Emerging Defense in Android Kernel" by James Fang [article]
2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier [article]
2015: "RAP: RIP ROP" [slides]
2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis [paper]
2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus [paper]
2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler [article]
2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat [article]
2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems" [paper]
2009, Phrack: "Linux Kernel Heap Tampering Detection" by Larry Highsmith [article]
2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum [article]
2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum [article]
2020: "Fuzzing the Linux kernel (x86) entry code, Part 3 of 3" by Vegard Nossum [article]
2020, Linux Plumbers: "Data-race detection in the Linux kernel" by Marco Elver [slides] [video]
2020: "harbian-qa: State-based target directed fuzzer based on syzkaller" [article]
2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints" [paper] [slides]
2020: "Using syzkaller, part 1: Fuzzing the Linux kernel" by Andre Almeida [article]
2020: "Using syzkaller, part 2: Detecting programming bugs in the Linux kernel" by Andre Almeida [article]
2020: "Using syzkaller, part 3: Fuzzing your changes" by Andre Almeida [article]
2020: "Using syzkaller, part 4: Driver fuzzing" by Andre Almeida [article]
2020: "HFL: Hybrid Fuzzing on the Linux Kernel" [paper]
2020: "Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel" [paper]
2020: "KRACE: Data Race Fuzzing for Kernel File Systems" [paper] [video]
2020: "HFL: Hybrid Fuzzing on the Linux Kernel" [paper]
2020: "KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities" [paper]
2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE" [article]
2019: "Industry Practice of Coverage-Guided Enterprise Linux Kernel Fuzzing" [paper]
2019: "Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers" [paper]
2019: "A gentle introduction to Linux Kernel fuzzing" by Marek Majkowski [article]
2019: "Unicorefuzz: On the Viability of Emulation for Kernelspace Fuzzing" [paper]
2019: "Case study: Searching for a vulnerability pattern in the Linux kernel" by Alexander Popov [article]
2019: "Razzer: Finding Kernel Race Bugs through Fuzzing" [video]
2019: "Fuzzing File Systems via Two-Dimensional Input Space Exploration" [paper]
2019: "PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary" [paper]
2019: "Hourglass Fuzz: A Quick Bug Hunting Method" [slides]
2018: "RAZZER: Finding Kernel Race Bugs through Fuzzing" [paper]
2018: "FastSyzkaller: Improving Fuzz Efficiency for Linux Kernel Fuzzing" [paper]
2018: "Writing the worlds worst Android fuzzer, and then improving it" by Brandon Falk [article]
2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities" [slides] [paper]
2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation" [paper]
2018: "Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking" by Mateusz Jurczyk [paper]
2018, BlackHat: "New Compat Vulnerabilities In Linux Device Drivers" [slides]
2018: "Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels" [paper]
2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko [slides]
2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai [slides]
2017, Black Hat USA: "Evolutionary Kernel Fuzzing" by Richard Johnson [slides]
2017: "DIFUZE: Interface Aware Fuzzing for Kernel Drivers" [slides] [paper]
2017, CCS: "SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits" [paper]
2017, USENIX: "kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels" [paper]
2017, USENIX: "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" [paper]
2016: "UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages" [paper]
2016: "An Analysis on the Impact and Detection of Kernel Stack Infoleaks" [paper]
2016, Linux Plumbers: "Syzkaller, Future Developement" by Dmitry Vyukov [slides]
2016: "Coverage-guided kernel fuzzing with syzkaller" [article]
2016: "Filesystem Fuzzing with American Fuzzy Lop" by Vegard Nossum and Quentin Casasnovas [slides]
2015, DEF CON 23: "Introduction to USB and Fuzzing" by Matt DuHarte [video]
2012: "Comprehensive Kernel Instrumentation via Dynamic Binary Translation" [paper]
2010: "Automatic Bug-finding Techniques for Linux Kernel" by Jiri Slaby [paper]
2009, DEF CON 11: "Opensource Kernel Auditing and Exploitation" by Silvio Cesare [video]
https://github.com/google/syzkaller
https://github.com/kernelslacker/trinity
http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/
https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
https://github.com/oracle/kernel-fuzzing
https://github.com/rgbkrk/iknowthis
https://github.com/schumilo/vUSBf
https://github.com/ucsb-seclab/difuze
https://github.com/compsec-snu/razzer [race-condition]
https://github.com/fgsect/unicorefuzz
https://github.com/shankarapailoor/moonshine [corpus-generation]
https://www.exploit-db.com/search/?action=search&description=linux+kernel
https://github.com/offensive-security/exploit-database/tree/master/platforms/linux/local
http://vulnfactory.org/exploits/ [2010-2011]
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
https://github.com/ScottyBauer/Android_Kernel_CVE_POCs
https://github.com/f47h3r/hackingteam_exploits
https://github.com/xairy/kernel-exploits
https://github.com/milabs/kernel-exploits/blob/master/CVE-2017-1000112/poc.c (CVE-2017-1000112 exploit with LKRG bypass)
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
https://github.com/SecWiki/linux-kernel-exploits
https://grsecurity.net/~spender/exploits/
https://github.com/jiayy/android_vuln_poc-exp
https://github.com/marsyy/littl_tools/tree/master/bluetooth
https://github.com/nongiach/CVE/tree/master/CVE-2017-5123
http://seclists.org/fulldisclosure/2010/Sep/268
https://github.com/hardenedlinux/offensive_poc
https://github.com/jiayy/android_vuln_poc-exp
https://github.com/externalist/exploit_playground
https://github.com/ww9210/Linux_kernel_exploits [FUZE]
https://github.com/ww9210/kepler-cfhp [KEPLER]
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
https://github.com/yzimhao/godpock
https://github.com/packetforger/localroot
http://www.cs.columbia.edu/~vpk/research/ret2dir/
https://github.com/w0lfzhang/kernel_exploit
https://github.com/jinb-park/linux-exploit
https://github.com/bcoles/kernel-exploits
https://github.com/jollheef/lpe
https://github.com/tangsilian/android-vuln
https://github.com/grant-h/qu1ckr00t
https://github.com/kangtastic/cve-2019-2215
https://github.com/QuestEscape/exploit
https://github.com/duasynt/xfrm_poc
https://github.com/snorez/exploits/blob/master/xfrm_poc_RE_challenge/lucky0_RE.c
https://github.com/saelo/cve-2014-0038
https://github.com/bluefrostsecurity/CVE-2020-0041/
https://github.com/chompie1337/s8_2019_2215_poc/
https://github.com/c3r34lk1ll3r/CVE-2017-5123
https://github.com/jonoberheide/ksymhunter
https://github.com/jonoberheide/kstructhunter
https://github.com/ngalongc/AutoLocalPrivilegeEscalation
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://github.com/jondonas/linux-exploit-suggester-2
https://github.com/mzet-/linux-exploit-suggester
https://github.com/spencerdodd/kernelpop
https://github.com/vnik5287/kaslr_tsx_bypass
https://github.com/IAIK/meltdown
https://github.com/nforest/droidimg
https://github.com/a13xp0p0v/kconfig-hardened-check
https://github.com/PaoloMonti42/salt
https://github.com/jollheef/out-of-tree
https://github.com/nforest/droidimg
https://github.com/elfmaster/kdress
https://github.com/mephi42/ida-kallsyms/
[ KASLD ] Kernel Address Space Layout Derandomization
https://github.com/IntelLabs/kAFL/
https://github.com/securesystemslab/agamotto
CSAW CTF 2010: writeup, source, source and exploit
CSAW CTF 2011: writeup, source
CSAW CTF 2013: writeup, source and exploit
CSAW CTF 2014: source and exploit
CSAW CTF 2015: writeup 1, writeup 2, source and exploit
Insomni’hack finals 2015: writeup, source and exploit
rwth2011 CTF (ps3game): writeup
PlaidCTF 2013 (Servr): writeup, source
0ctf2017: source and exploit 1, source and exploit 2
0ctf2018: writeup 1, writeup 2
QWB2018 (solid_core): writeup, exploit 1, exploit 2, exploit 3
Blaze2018 (blazeme): source and exploit 1, soure and exploit 2
TCTF 2017 (cred_jar): writeup
N1CTF 2018: writeup
Sharif CTF 2018 (kdb): writeup, source and exploit
NCSTISC 2018 (babydriver): writeup, source and exploit
TWCTF 2018 (ReadableKernelModule): writeup
SECT CTF 2018 (Gh0st): writeup
WCTF 2018 (cpf): source, writeup, and exploit
hxp CTF 2018 (Green Computing): writeup
Insomni'hack teaser 2019 (1118daysober): writeup 1, writeup 2
Security Fest 2019 (brainfuck64): writeup
TokyoWesterns CTF 2019 (gnote): writeup, video part 1, part 2
Balsn CTF 2019 (KrazyNote): exploit
HITCON CTF Quals 2019 (PoE): source and exploit
r2con CTF 2019: source, exploit and writeup
De1CTF 2019 (Race): writeup and exploit
zer0pts CTF 2020 (meow): writeup
DEF CON CTF Qualifier 2020 (keml): source, exploit
DEF CON CTF Qualifier 2020 (fungez): source, exploit and writeup
ASIS CTF 2020 (Shared House): writeup
2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko [video]
pwnable.kr tasks (syscall, rootkit, softmmu, towelroot, kcrc, exynos)
https://github.com/Fuzion24/AndroidKernelExploitationPlayground
https://github.com/ReverseLab/kernel-pwn-challenge
https://github.com/djrbliss/libplayground
https://github.com/mncoppola/Linux-Kernel-CTF
https://crowell.github.io/blog/2014/11/24/hosting-a-local-kernel-ctf-challenge/
https://github.com/ukanth/afwall/wiki/Kernel-security
https://github.com/a13xp0p0v/linux-kernel-defence-map
https://github.com/kmcallister/alameda
https://github.com/01org/jit-spray-poc-for-ksp
https://forums.grsecurity.net/viewforum.php?f=7
https://grsecurity.net/research.php
https://github.com/yrp604/atc-sources
https://www.linuxkernelcves.com/
https://github.com/jameshilliard/linux-grsec/
https://github.com/a13xp0p0v/kernel-hack-drill
https://github.com/vnik5287/kernel_rop
https://github.com/R3x/How2Kernel
https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time