• This project was made for the Operating Systems laboratory from the University of Bucharest
• It is based on the Linux Kernel 6.0.6
• Contains the kernel patch, building and debugging config files and 3 userland programs
• The code for the syscall can be located in dfsproc directory

• PART I : Building the kernel and testing environment with buildroot
• PART II : Debugging the kernel
• PART III : Userland applications

Use the patch file inluded in dfsproc.patch by issuing this command in the linux kernel source code directory

patch -p1 < dfsproc.path

If you want to replicate my local testing environment with Qemu, buildroot and the kernel build for debugging, then follow these 2 steps (this tutorial will assume you have completed this step, otherwise you are free to choose your own options):

1. Place the optional/kernel/.config file for kernel config in your linux kernel source code directory.
2. For buildroot there is a configuration file that you should place into your buildroot directory. The file is located at optional/buildroot/.config

Issue the following commands

1. For building the .config file

make menuconfig

2. For building the kernel

make -j $(nproc)

3. For building the modules

make modules -j $(nproc)

This section is a more streamlined (and less flexible) version of the tutorial found here: https://www.nullbyte.cat/post/linux-kernel-exploit-development-environment/. At the end there is an optional bash script that executes qemu with all of the needed parameters

Replace /path_to_buildroot with your own path to the buildroot directory.

1. Configure buildroot

make menuconfig

2. Add overlay directories

mkdir /path_to_buildroot/buildroot/overlay/etc/

3. Add this text to a new file in /path_to_buildroot/buildroot/overlay/etc/shadow (the default user:password will be root:root and user:user)

root:$5$AQRgXbdJ$eCko6aRPrhOBegsJGLy36fmmrheNtfkUMBjlKPWEXW9:10000:0:99999:7:::
daemon:*:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
sys:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
mail:*:10933:0:99999:7:::
www-data:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
user:$5$QAucgwIL$onnijv2MwdMD.Jze4LgPx7z3kksIjU18y3jffH2urv3:10000:0:99999:7:::

4. Add the home folder for the user "user"

mkdir -p /path_to_buildroot/buildroot/overlay/home/user

5. Set the permissions to the device table

echo -e '/home/user\td\t755\t1000\t100\t-\t-\t-\t-\t-' >> /path_to_buildroot/buildroot/system/device_table.txt

For installing the modules with buildroot

make modules_install INSTALL_MOD_PATH=/path_to_buildroot/buildroot/overlay -j $(nproc)

Use the following commands

make source
make -j $(nproc)

Copy and modify the paths in the optional/start file and run it. I suggest keeping buildroot and the linux kernel in the same directory for simplicity.

./start

This file will start buildroot within a terminal

Connect to the user account using the user password

ssh -p 2222 user@localhost -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

Please use -no-pie and --static for C

As an example we'll take the florin/f1_c.c file.

gcc f1_c.c -o f1 --static -no-pie

scp -P 2222 f1 user@localhost:/home/user/

To start debugging issue this command:

gdb linux-6.0.6/vmlinux

To connect to the server issue this command inside gdb

target remote localhost:1234

To set a breakpoint inside the dfsproc system call at line 100 (change the number with the desired line)

b dfsproc/dfsproc.c:100

It should start debugging once it hits the breakpoint.

Copy the optional/.vscode directory to the linux kernel source code directory and open the kernel source code directory. Then while the kernel is loaded with buildroot set a debug point and press F5. It should start debugging once it hits the breakpoint.

My userland programs located in florin directory

Build the f1_c.c application like this

gcc f1_c.c -o f1 --static -no-pie

Copy it to the virtual machine

scp -P 2222 f1 user@localhost:/home/user/

Connect to the virtual machine either directly (not recommended) or via ssh and run

./f1

Copy libgmp.so.10 to the virtual machine

 scp -P 2222  optional/libgmp.so.10 root@localhost:/lib/libgmp.so.10

Compile the file with either stack or cabal. For cabal use:

cabal build

Copy the resulting file to the virtual machine

scp -P 2222 f2 user@localhost:/home/user/

Connect to the virtual machine either directly (not recommended) or via ssh and run

./f2

Note that it expects an input, let's say 1

Anca's userland programs located in anca directory

First application Build the a1.c application like this

gcc a1.c -o a1 --static -no-pie Copy it to the virtual machine

scp -P 2222 a1 user@localhost:/home/user/ Connect to the virtual machine either directly (not recommended) or via ssh and run

./a1