release v0.7.1: arm64-static binary + per-module arch_support
Two additions on top of v0.7.0:
1. skeletonkey-arm64-static is now published alongside the existing
x86_64-static binary. Built native-arm64 in Alpine via GitHub's
ubuntu-24.04-arm runner pool (free for public repos as of 2024).
install.sh auto-picks it based on 'uname -m'; SKELETONKEY_DYNAMIC=1
fetches the dynamic build instead. Works on Raspberry Pi 4+, Apple
Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM, etc.
.github/workflows/release.yml refactor: the previous single
build-static-x86_64 job becomes a build-static matrix with two
entries (x86_64-static on ubuntu-latest, arm64-static on
ubuntu-24.04-arm). Both share the same Alpine container + build
recipe.
2. .arch_support field on struct skeletonkey_module — honest per-module
labeling of which architectures the exploit() body has been verified
on. Three categories:
'any' (4 modules): pwnkit, sudo_samedit, sudoedit_editor,
pack2theroot. Purely userspace; arch-independent.
'x86_64' (1 module): entrybleed. KPTI prefetchnta side-channel;
x86-only by physics. Already source-gated (returns
PRECOND_FAIL on non-x86_64).
'x86_64+unverified-arm64' (26 modules): kernel exploitation
code. The bug class is generic but the exploit primitives
(msg_msg sprays, finisher chain, struct offsets) haven't been
confirmed on arm64. detect() still works (just reads ctx->host);
only the --exploit path is in question.
--list now has an ARCH column (any / x64 / x64?) and the footer
prints 'N arch-independent (any)'.
--module-info prints 'arch support: <value>'.
--scan --json adds 'arch_support' to each module record.
This is the honest 'arm64 works for detection on every module +
exploitation on 4 of them today; the rest await empirical arm64
sweep' framing — not pretending the kernel exploits already work
there, but not blocking the arm64 binary on that either. arm64
users get the full triage workflow + a handful of userspace exploits
out of the box, plus a clear roadmap for the rest.
Future work to promote modules from 'x86_64+unverified-arm64' to
'any': add an arm64 Vagrant box (generic/debian12-arm64 etc.) to
tools/verify-vm/ and run a verification sweep on Apple Silicon /
ARM Linux hardware.
This commit is contained in:
+34
-9
@@ -35,7 +35,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define SKELETONKEY_VERSION "0.7.0"
|
||||
#define SKELETONKEY_VERSION "0.7.1"
|
||||
|
||||
static const char BANNER[] =
|
||||
"\n"
|
||||
@@ -216,6 +216,13 @@ static void emit_module_json(const struct skeletonkey_module *m, bool include_ru
|
||||
free(op);
|
||||
}
|
||||
|
||||
/* Architecture support for the exploit body. */
|
||||
if (m->arch_support) {
|
||||
char *a = json_escape(m->arch_support);
|
||||
fprintf(stdout, ",\"arch_support\":\"%s\"", a ? a : "");
|
||||
free(a);
|
||||
}
|
||||
|
||||
/* Empirical verification records: (distro, kernel, date) tuples
|
||||
* where the module's detect() was confirmed against a real target. */
|
||||
size_t nv = 0;
|
||||
@@ -272,27 +279,43 @@ static int cmd_list(const struct skeletonkey_ctx *ctx)
|
||||
fprintf(stdout, "]}\n");
|
||||
return 0;
|
||||
}
|
||||
fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
|
||||
"NAME", "CVE", "KEV", "VFY", "FAMILY", "SUMMARY");
|
||||
fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
|
||||
"----", "---", "---", "---", "------", "-------");
|
||||
size_t n_kev = 0, n_vfy = 0;
|
||||
/* The ARCH column shows where exploit() is known/expected to work:
|
||||
* "any" → userspace or arch-agnostic kernel primitive
|
||||
* "x64" → x86_64 only (entrybleed)
|
||||
* "x64?" → x86_64 verified, arm64 untested (the honest default
|
||||
* for kernel modules that haven't been arm64-confirmed) */
|
||||
fprintf(stdout, "%-20s %-18s %-3s %-3s %-5s %-25s %s\n",
|
||||
"NAME", "CVE", "KEV", "VFY", "ARCH", "FAMILY", "SUMMARY");
|
||||
fprintf(stdout, "%-20s %-18s %-3s %-3s %-5s %-25s %s\n",
|
||||
"----", "---", "---", "---", "----", "------", "-------");
|
||||
size_t n_kev = 0, n_vfy = 0, n_any = 0;
|
||||
for (size_t i = 0; i < n; i++) {
|
||||
const struct skeletonkey_module *m = skeletonkey_module_at(i);
|
||||
const struct cve_metadata *md = cve_metadata_lookup(m->cve);
|
||||
bool in_kev = md && md->in_kev;
|
||||
bool verified = verifications_module_has_match(m->name);
|
||||
const char *arch_abbr = "?";
|
||||
if (m->arch_support) {
|
||||
if (strcmp(m->arch_support, "any") == 0) { arch_abbr = "any"; n_any++; }
|
||||
else if (strcmp(m->arch_support, "x86_64") == 0) { arch_abbr = "x64"; }
|
||||
else { arch_abbr = "x64?"; }
|
||||
}
|
||||
if (in_kev) n_kev++;
|
||||
if (verified) n_vfy++;
|
||||
fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
|
||||
fprintf(stdout, "%-20s %-18s %-3s %-3s %-5s %-25s %s\n",
|
||||
m->name, m->cve,
|
||||
in_kev ? "★" : "",
|
||||
verified ? "✓" : "",
|
||||
arch_abbr,
|
||||
m->family, m->summary);
|
||||
}
|
||||
fprintf(stdout, "\n%zu modules registered · %zu in CISA KEV (★) · "
|
||||
"%zu empirically verified in real VMs (✓)\n",
|
||||
n, n_kev, n_vfy);
|
||||
"%zu empirically verified in real VMs (✓) · "
|
||||
"%zu arch-independent (any)\n",
|
||||
n, n_kev, n_vfy, n_any);
|
||||
fprintf(stdout, "ARCH key: 'any' = userspace or arch-agnostic; "
|
||||
"'x64' = x86_64 only; 'x64?' = x86_64 verified, "
|
||||
"arm64 untested\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -666,6 +689,8 @@ static int cmd_module_info(const char *name, const struct skeletonkey_ctx *ctx)
|
||||
m->exploit ? "exploit " : "",
|
||||
m->mitigate ? "mitigate " : "",
|
||||
m->cleanup ? "cleanup " : "");
|
||||
if (m->arch_support)
|
||||
fprintf(stdout, "arch support: %s\n", m->arch_support);
|
||||
fprintf(stdout, "detect rules: %s%s%s%s\n",
|
||||
m->detect_auditd ? "auditd " : "",
|
||||
m->detect_sigma ? "sigma " : "",
|
||||
|
||||
Reference in New Issue
Block a user