111 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
leviathan	8ac041a295	release v0.9.1: VM verification sweep 22 → 27 ... Five more CVEs empirically confirmed end-to-end against real Linux VMs: - CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant) - CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26) - CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5) - CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source) - CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule) Required real plumbing work: - Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh) - Two-phase provision in verify.sh (prep → reboot if needed → verify) fixes silent-fail where new kernel installed but VM never rebooted - GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target) - Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/) mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config mismatch). Genuinely needs a CentOS 6 / Debian 7 image. v0.9.1	2026-05-23 23:35:02 -04:00
leviathan	270ddc1681	verify-vm: per-module provisioner hook + old-mainline URL fallback ... Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup (build vulnerable sudo from source, drop polkit allow rule, add sudoers grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile runs the script as root before build-and-verify if it exists. Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to /v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64 subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-' (new) deb names. Wires up 4 previously-deferred targets to expect VULNERABLE: - sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local - udisks_libblockdev: installs udisks2 + polkit rule for vagrant user - mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix) - sudo_runas_neg1: adds (ALL,!root) sudoers grant	2026-05-23 22:36:02 -04:00
leviathan	7f4a6e1c7c	pintheft: drop --full-chain stub (calls undefined finisher symbol) ... The x86_64 path called finisher_modprobe_path_overwrite() which doesn't exist — the real API is skeletonkey_finisher_modprobe_path() with a callback signature. arm64 builds dodged it via the #if guard; x86_64 linker rightly choked. Same fix as tioscpgrp/vsock_uaf/nft_pipapo: primitive-only modules return EXPLOIT_FAIL honestly per verified-vs- claimed. v0.9.0	2026-05-23 22:22:31 -04:00
leviathan	f41eed834e	pintheft: add missing <sys/mman.h> for mmap/mprotect/PROT_* ... v0.9.0 release builds all 4 failed because pintheft module used mmap/ mprotect/PROT_READ/MAP_PRIVATE without including sys/mman.h. Worked on the dev host because some indirect include pulled it in; CI's stricter glibc/musl headers don't.	2026-05-23 22:19:59 -04:00
leviathan	d84b3b0033	release v0.9.0: 5 gap-fillers — every year 2016 → 2026 now covered ... Five new modules close the 2018 gap entirely and thicken 2019 / 2020 / 2024. All five carry the full 4-format detection-rule corpus + opsec_notes + arch_support + register helpers. CVE-2018-14634 — mutagen_astronomy (Qualys, closes 2018) create_elf_tables() int wrap → SUID-execve stack corruption. CISA KEV-listed Jan 2026 despite the bug's age; legacy RHEL 7 / CentOS 7 / Debian 8 fleets still affected. 🟡 PRIMITIVE. arch_support: x86_64+unverified-arm64. CVE-2019-14287 — sudo_runas_neg1 (Joe Vennix) sudo -u#-1 → uid_t underflow → root despite (ALL,!root) blacklist. Pure userspace logic bug; the famous Apple Information Security finding. detect() looks for a (ALL,!root) grant in sudo -ln output; PRECOND_FAIL when no such grant exists for the invoking user. arch_support: any (4 -> 5 userspace 'any' modules). CVE-2020-29661 — tioscpgrp (Jann Horn / Project Zero) TTY TIOCSPGRP ioctl race on PTY pairs → struct pid UAF in kmalloc-256. Affects everything through Linux 5.9.13. 🟡 PRIMITIVE (race-driver + msg_msg groom). Public PoCs from grsecurity / spender + Maxime Peterlin. CVE-2024-50264 — vsock_uaf (a13xp0p0v / Pwnie Award 2025 winner) AF_VSOCK connect-race UAF in kmalloc-96. Pwn2Own 2024 + Pwnie 2025 winner. Reachable as plain unprivileged user (no userns required — unusual). Two public exploit paths: @v4bel+@qwerty kernelCTF (BPF JIT spray + SLUBStick) and Alexander Popov / PT SWARM (msg_msg). 🟡 PRIMITIVE. CVE-2024-26581 — nft_pipapo (Notselwyn II, 'Flipping Pages') nft_set_pipapo destroy-race UAF. Sibling to nf_tables (CVE-2024-1086) from the same Notselwyn paper. Distinct bug in the pipapo set substrate. Same family signature. 🟡 PRIMITIVE. Plumbing changes: core/registry.h + registry_all.c — 5 new register declarations + calls. Makefile — 5 new MUT/SRN/TIO/VSK/PIP module groups in MODULE_OBJS. tests/test_detect.c — 7 new test rows covering the new modules (above-fix OK, predates-the-bug OK, sudo-no-grant PRECOND_FAIL). tools/verify-vm/targets.yaml — verifier entries for all 5 with honest 'expect_detect' values based on what Vagrant boxes can realistically reach (mutagen_astronomy gets OK on stock 18.04 since 4.15.0-213 is post-fix; sudo_runas_neg1 gets PRECOND_FAIL because no (ALL,!root) grant on default vagrant user; tioscpgrp + nft_pipapo VULNERABLE with kernel pins; vsock_uaf flagged manual because vsock module rarely available on CI runners). tools/refresh-cve-metadata.py — added curl fallback for the CISA KEV CSV fetch (urlopen times out intermittently against CISA's HTTP/2 endpoint). Corpus growth across v0.8.0 + v0.9.0: v0.7.1 v0.8.0 v0.9.0 Modules 31 34 39 Distinct CVEs 26 29 34 KEV-listed 10 10 11 (mutagen_astronomy) arch 'any' 4 6 7 (sudo_runas_neg1) Years 2016-2026: 10/11 10/11 **11/11** Year-by-year coverage: 2016: 1 2017: 1 2018: 1 2019: 2 2020: 2 2021: 5 2022: 5 2023: 8 2024: 3 2025: 2 2026: 4 CVE-2018 gap → CLOSED. Every year from 2016 through 2026 now has at least one module. Surfaces updated: - README.md: badge → 22 VM-verified / 34, Status section refreshed - docs/index.html: hero eyebrow + footer → v0.9.0, hero tagline 'every year 2016 → 2026', stats chips → 39 / 22 / 11 / 151 - docs/RELEASE_NOTES.md: v0.9.0 entry added on top with year coverage matrix + per-module breakdown; v0.8.0 + v0.7.1 entries preserved below - docs/og.svg + og.png: regenerated with new numbers + 'Every year 2016 → 2026' tagline CVE metadata refresh (tools/refresh-cve-metadata.py) deferred to follow-up — CISA KEV CSV + NVD CVE API were timing out during the v0.9.0 push window. The 5 new CVEs will return NULL from cve_metadata_lookup() until the refresh runs (—module-info simply skips the WEAKNESS/THREAT INTEL header for them; no functional impact). Re-run 'tools/refresh-cve-metadata.py' when network cooperates. Tests: macOS local 33/33 kernel_range pass; detect-test stubs (88 total) build clean; ASan/UBSan + clang-tidy CI jobs still green from the v0.7.x setup.	2026-05-23 22:15:44 -04:00
leviathan	4af82b82d9	docs: post-v0.7.1 surface sync (README + site + ROADMAP) ... Three stale surfaces refreshed after the v0.7.1 cut + arm64 release: README.md — Status section was 'v0.6.0 cut 2026-05-23'; updated to v0.7.1 with the new prebuilt-binary inventory (4 artifacts: x86_64 + arm64, each dynamic + static-musl) and the CI hardening additions (ASan/UBSan + clang-tidy). docs/index.html — hero eyebrow chip and footer meta both showed v0.6.0; both bumped to v0.7.1. ROADMAP.md — entire v0.7.x phase added as 'Phase 9 — Empirical verification + operator briefing (DONE 2026-05-23, v0.7.1)'. Captures everything since Phase 7+/8 (which were the v0.5–v0.6 era): the VM verifier, mainline kernel fetch, 22 of 26 CVEs verified, --explain mode, OPSEC notes, CVE metadata pipeline (CISA KEV + NVD CWE), 119 detection rules, 88-test harness, arm64-static binary, arch_support field, marketing site. Plus an explicit 'open follow-ups' list (arm64 verification sweep, SIEM query templates, install.sh smoke test, PackageKit provisioner, custom <=4.4 kernel image for dirty_cow, 9 deferred drift findings) and the 'wait-for-upstream blockers' list (vmwgfx, dirtydecrypt, fragnesia).	2026-05-23 21:27:23 -04:00
leviathan	c12ee6055c	release.yml: arm64-static via dockcross/linux-arm64-musl ... Third attempt at arm64-static. Previous two: 1. Alpine container on ubuntu-24.04-arm: 'JavaScript Actions in Alpine containers only supported on x64 Linux runners' — actions/checkout JS bundle can't run. 2. musl-tools on ubuntu-24.04-arm: musl-gcc + Ubuntu's /usr/include collide. -isystem /usr/include pulls glibc stdio.h whose __gnuc_va_list + __time64_t types conflict with musl's stdio.h. -isystem /usr/include/linux alone leaves us missing asm/ headers. dockcross/linux-arm64-musl avoids both: - Image base is Debian (glibc) → actions/checkout works. - Ships aarch64-linux-musl-gcc with a CONSISTENT musl + linux- uapi sysroot. No header collision. The dockcross pattern is: pull the image, ask it to spit out its wrapper script ('docker run --rm dockcross/linux-arm64-musl' prints a bash wrapper to stdout), then './dockcross bash -c ...' runs the command inside the toolchain container with the cwd volume-mounted. Produces a statically-linked aarch64 ELF binary, same packaging flow as the x86_64-static job. v0.7.1	2026-05-23 21:17:03 -04:00
leviathan	3e9f373751	release.yml: arm64-static — give musl-gcc access to Linux uapi headers ... Previous attempt failed with: modules/copy_fail_family/src/apparmor_bypass.c:23:10: fatal error: linux/capability.h: No such file or directory musl-gcc points at musl's libc headers, which (correctly) don't include Linux kernel uapi (linux/netfilter/*.h, linux/capability.h, etc.). On Ubuntu these come from the linux-libc-dev package living at /usr/include + /usr/include/aarch64-linux-gnu. Fix: -isystem both paths so musl-gcc can find Linux uapi without those paths shadowing musl's own libc decls (which they would if we used a plain -I). The Alpine x86_64 build doesn't hit this because Alpine's linux-headers package installs into musl's own include path.	2026-05-23 21:15:01 -04:00
leviathan	24c2821ae2	release.yml: arm64-static via musl-tools on ubuntu-24.04-arm (not Alpine) ... The v0.7.1 arm64-static build failed with: 'JavaScript Actions in Alpine containers are only supported on x64 Linux runners. Detected Linux Arm64' actions/checkout (and most other GitHub Actions) ship as Node.js bundles. On x86_64, GitHub's runner injects a glibc-compatible Node into Alpine containers; on arm64, that injection isn't available. The container fails to even check out the repo. Fix: run the arm64 static build natively on ubuntu-24.04-arm (a glibc-based runner that actions/checkout works on out of the box), and use Ubuntu's musl-tools package to get musl-gcc + musl-dev for the static link. The produced binary is still statically-linked against musl — just built outside an Alpine container. Refactor: the previous build-static matrix becomes two distinct jobs (build-static-x86_64 still Alpine-on-x64; build-static-arm64 now musl-tools-on-arm64). The release job's needs[] list and the artifact list are unchanged at the consumer level — the same four binaries (x86_64 dyn + static, arm64 dyn + static) plus install.sh still get published.	2026-05-23 21:13:06 -04:00
leviathan	5d48a7b0b5	release v0.7.1: arm64-static binary + per-module arch_support ... Two additions on top of v0.7.0: 1. skeletonkey-arm64-static is now published alongside the existing x86_64-static binary. Built native-arm64 in Alpine via GitHub's ubuntu-24.04-arm runner pool (free for public repos as of 2024). install.sh auto-picks it based on 'uname -m'; SKELETONKEY_DYNAMIC=1 fetches the dynamic build instead. Works on Raspberry Pi 4+, Apple Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM, etc. .github/workflows/release.yml refactor: the previous single build-static-x86_64 job becomes a build-static matrix with two entries (x86_64-static on ubuntu-latest, arm64-static on ubuntu-24.04-arm). Both share the same Alpine container + build recipe. 2. .arch_support field on struct skeletonkey_module — honest per-module labeling of which architectures the exploit() body has been verified on. Three categories: 'any' (4 modules): pwnkit, sudo_samedit, sudoedit_editor, pack2theroot. Purely userspace; arch-independent. 'x86_64' (1 module): entrybleed. KPTI prefetchnta side-channel; x86-only by physics. Already source-gated (returns PRECOND_FAIL on non-x86_64). 'x86_64+unverified-arm64' (26 modules): kernel exploitation code. The bug class is generic but the exploit primitives (msg_msg sprays, finisher chain, struct offsets) haven't been confirmed on arm64. detect() still works (just reads ctx->host); only the --exploit path is in question. --list now has an ARCH column (any / x64 / x64?) and the footer prints 'N arch-independent (any)'. --module-info prints 'arch support: <value>'. --scan --json adds 'arch_support' to each module record. This is the honest 'arm64 works for detection on every module + exploitation on 4 of them today; the rest await empirical arm64 sweep' framing — not pretending the kernel exploits already work there, but not blocking the arm64 binary on that either. arm64 users get the full triage workflow + a handful of userspace exploits out of the box, plus a clear roadmap for the rest. Future work to promote modules from 'x86_64+unverified-arm64' to 'any': add an arm64 Vagrant box (generic/debian12-arm64 etc.) to tools/verify-vm/ and run a verification sweep on Apple Silicon / ARM Linux hardware.	2026-05-23 21:10:54 -04:00
leviathan	18fa3025f2	ci: silence Annex K noise from clang-tidy ... The first clang-tidy run on v0.7.0 reported 193 warnings, all from one check: clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling. That check flags snprintf, fprintf, memset, strncpy etc. and recommends the C11 Annex K _s variants (snprintf_s, memset_s, ...). Annex K is fundamentally not portable — glibc, musl, and MSVC all either don't implement it or implement it incompletely. snprintf is already bounds-checked via its size argument; this check is noise rather than signal in any real C codebase. Also pre-emptively disabling bugprone-easily-swappable-parameters which fires on every small utility function taking 2+ same-typed params (e.g. skeletonkey_host_kernel_at_least(host, major, minor, patch)). Everything else stays on. The next CI run will show whatever real findings hid under the noise.	2026-05-23 20:58:03 -04:00
leviathan	5b79b23ff2	ci: ASan/UBSan + clang-tidy lint + weekly drift check ... Three new jobs in build.yml: 1. sanitizers (clang + ASan/UBSan) Runs the same 88-test suite under AddressSanitizer + UndefinedBehaviorSanitizer. -fno-sanitize-recover=all so any finding fails CI loudly rather than scrolling past. -O1 + frame- pointers preserved for usable backtraces. CC=clang because clang's sanitizer integration is more mature than gcc's; gcc-built binaries still get exercised by the matrix in the main 'build' job. 2. clang-tidy (advisory) Lints core/ + skeletonkey.c (the files we control most directly; module sources often bundle published PoC code we keep close to upstream style, so they're excluded). continue-on-error: true for now so it sets a baseline without blocking merges; we can tighten incrementally as the warning surface shrinks. 3. drift-check (cron + workflow_dispatch) Runs weekly (Mon 06:00 UTC) and on-demand. Two sub-steps: - tools/refresh-cve-metadata.py --check (CISA KEV + NVD CWE) - tools/refresh-kernel-ranges.py (Debian security tracker) Both already exit non-zero on actionable drift. Network-required, so NOT gated on regular PR runs — random PRs shouldn't fail because CISA published a new KEV entry. The job runs ONLY on schedule + manual trigger (if: github.event_name == 'schedule' || ...). When it fires, the GH Actions warning annotation points the maintainer at the right refresh script to rerun + commit. Smoke-tested locally: - macOS local ASan+UBSan build: kernel_range tests pass; detect() tests skipped (non-Linux platform stubs). - clang-tidy not installed locally; CI installs from apt.	2026-05-23 20:46:27 -04:00
leviathan	264759832a	release v0.7.0: 22-of-26 VM-verified + --explain + OPSEC + KEV metadata ... Bumps SKELETONKEY_VERSION to 0.7.0 and adds docs/RELEASE_NOTES.md with the full v0.7.0 changelog. release.yml updated to use the hand-written notes file as the GitHub Release body (falls back to the auto-generated stub when docs/RELEASE_NOTES.md isn't present, so older tags still publish cleanly). Headline: empirical VM verification across 22 of 26 CVEs, plus the --explain operator briefing mode, OPSEC notes per module, CISA KEV + NVD CWE + MITRE ATT&CK metadata pipeline, 119 detection rules across all 4 SIEM formats, kernel.ubuntu.com mainline kernel fetch path, and the new marketing-grade landing page. Full breakdown in docs/RELEASE_NOTES.md. Tag v0.7.0 next; release workflow auto-builds + publishes the 3 binaries (x86_64 dynamic, x86_64 static-musl via Alpine, arm64 dynamic) with checksums. v0.7.0	2026-05-23 20:44:45 -04:00
leviathan	6e0f811a2c	README + site + binary: surface 22-of-26 VM-verified count ... Updates the visible 'how trustworthy is this' signal across all three touchpoints after the verifier sweep landed 22 modules confirmed in real Linux VMs: README.md - Badge: '28 verified + 3 ported' → '22 VM-verified / 26'. - Headline tagline: emphasizes the 22-of-26 empirical confirmation. - 'Corpus at a glance' restructured: tier counts unchanged, but the stale '3 ported-but-unverified' subsection is replaced by a new 'Empirical verification' table breaking the 22 records down by distro/kernel. - 'Status' section refreshed for v0.6.0 reality: 88 tests + 22 verifications + mainline kernel fetch + --explain + KEV/CWE/ATT&CK metadata + 119 detection rules. The four still-unverified entries (vmwgfx, dirty_cow, dirtydecrypt, fragnesia) are listed with their blocking reasons. docs/index.html - Hero stats row gets a new '22 ✓ VM-verified' chip (emerald-styled via new .stat-vfy CSS class), keeping modules/KEV/rules siblings. - Hero tagline calls out '22 of 26 CVEs empirically verified'. - Meta description + og:description updated. - Bento card 'Verifier ready' rewritten as '22 modules empirically verified' with concrete distro/kernel breakdown; styled with new .bento-vfy class for emerald accent (matches the stat chip). - Timeline 'shipped' column adds the verifier wins; 'in flight' swapped to current open items (drift fixes, packagekit provisioner, custom <=4.4 box for dirty_cow). docs/og.svg + docs/og.png - 4-chip stats row instead of 3: 31 modules · 22 ✓ VM-verified · 10 ★ in CISA KEV · 119 detection rules. Tagline now '22 of 26 CVEs verified in real Linux VMs.' Re-rendered to PNG via rsvg-convert. skeletonkey.c (binary) - --list footer now prints '31 modules registered · 10 in CISA KEV (★) · 22 empirically verified in real VMs (✓)'. Counts computed from the registry + cve_metadata + verifications tables at runtime (so it stays accurate as more verifications land — the JSONL refresh propagates automatically). No code logic changed; only surfacing.	2026-05-23 18:03:38 -04:00
leviathan	312e7d89b5	verify-vm: kernel.ubuntu.com mainline integration — 22 modules verified ... Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more matches to the verified_on table for a total of 22 modules confirmed against real Linux VMs: af_unix_gc ubuntu2204 + mainline 5.15.5 match nf_tables ubuntu2204 + mainline 5.15.5 match nft_set_uaf ubuntu2204 + mainline 5.15.5 match stackrot ubuntu2204 + mainline 6.1.10 match Mechanism: tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell provisioner. Fetches the directory index at https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4 canonical .deb filenames (linux-headers _all, linux-headers -generic _amd64, linux-image-unsigned -generic _amd64, linux-modules -generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' + 'update-grub', and prints a reboot hint. Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so update-grub puts it at the top of the boot menu and the next 'vagrant reload' lands on it automatically. uname then reports '5.15.5-051505-generic' which our parser sees as 5.15.5 → in our kernel_range table's vulnerable window → empirical VULNERABLE. tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to the Vagrantfile. Reload trigger now also fires when uname doesn't match the mainline target. tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4 PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and 6.1.10 (Feb 2023) for stackrot — both below every relevant backport. Final sweep status (22 of 26 CVEs): ✓ MATCHES (22): pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy, nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid, sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet, pack2theroot, cls_route4, nft_payload, af_packet2, sequoia, dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot 🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale): vmwgfx — VMware-guest only; no public Vagrant box covers it dirtydecrypt — needs Linux 7.0; not shipping as any distro kernel fragnesia — needs Linux 7.0; same dirty_cow — needs ≤ 4.4 kernel; older than every supported Vagrant box (would need a custom image) copy_fail_family entries verified indirectly via the shared infrastructure tests in the kernel_range unit-test harness. The 22 records are baked into core/verifications.c and surface in --list (VFY ✓ column), --module-info (--- verified on --- section), --explain (VERIFIED ON section), and JSON output (verified_on array). 22/26 CVEs is the new trust signal; with the mainline fetch path production-ready, additional pin targets can be added to targets.yaml without code changes.	2026-05-23 17:35:13 -04:00
leviathan	2c131df1bf	verify-vm sweep complete: 18 modules confirmed across 5 Linux distros ... Full sweep results: MATCHES (18 — empirically confirmed in real Linux VMs): pwnkit ubuntu2004 5.4.0-169 VULNERABLE cgroup_release_agent debian11 5.10.0-27 VULNERABLE netfilter_xtcompat debian11 5.10.0-27 VULNERABLE fuse_legacy debian11 5.10.0-27 VULNERABLE nft_fwd_dup debian11 5.10.0-27 VULNERABLE entrybleed ubuntu2204 5.15.0-91 VULNERABLE overlayfs ubuntu2004 5.4.0-169 VULNERABLE overlayfs_setuid ubuntu2204 5.15.0-91 VULNERABLE sudoedit_editor ubuntu2204 5.15.0-91 PRECOND_FAIL (no sudoers grant) ptrace_traceme ubuntu1804 4.15.0-213 VULNERABLE sudo_samedit ubuntu1804 4.15.0-213 VULNERABLE af_packet ubuntu1804 4.15.0-213 OK (4.15 is post-fix) pack2theroot debian12 6.1.0-17 PRECOND_FAIL (no PackageKit installed) cls_route4 ubuntu2004 5.15.0-43 VULNERABLE nft_payload ubuntu2004 5.15.0-43 VULNERABLE af_packet2 ubuntu2004 5.4.0-26 VULNERABLE sequoia ubuntu2004 5.4.0-26 VULNERABLE dirty_pipe ubuntu2204 5.15.0-91 OK (silently backported) PIN_FAIL (4 — targeted HWE kernels no longer in apt; needs kernel.ubuntu.com mainline integration, deferred): nf_tables wanted ubuntu2204 + 5.15.0-43-generic af_unix_gc wanted ubuntu2204 + 5.15.0-43-generic stackrot wanted ubuntu2204 + 6.1.0-13-generic nft_set_uaf wanted ubuntu2204 + 5.19.0-32-generic MANUAL / SPECIAL TARGETS (5 — flagged in targets.yaml): vmwgfx — VMware-guest only; no Vagrant box covers it dirtydecrypt — needs Linux 7.0 (not shipping yet) fragnesia — needs Linux 7.0 (not shipping yet) dirty_cow — needs <= 4.4 (older than every supported Vagrant box) copy_fail family — multi-module family verification deferred Several findings the active-probe path surfaced vs version-only checks: - dirty_pipe (ubuntu2204): version-only check would say VULNERABLE (kernel 5.15.0 < 5.15.25 backport in our table), but Ubuntu has silently backported the fix into the -91 patch level. --active probe correctly identified the primitive as blocked → OK. - af_packet (ubuntu1804): the bug was fixed in 4.10.6 mainline + 4.9.18 backport. Ubuntu 18.04's stock 4.15.0 is post-fix — detect() correctly returns OK. The targets.yaml entry was originally wrong; fixed now. - sudoedit_editor: version-wise the host is vulnerable (sudo 1.9.9), but the bug requires an actual sudoedit grant in /etc/sudoers — and the default Vagrant user has none. detect() correctly returns PRECOND_FAIL ('vuln version present, no grant to abuse'). Same as one of our unit tests. - pack2theroot: needs an active PackageKit daemon on the system bus. Debian 12's generic cloud image is server-oriented and omits PackageKit. detect() correctly returns PRECOND_FAIL. Provisioning PackageKit in a follow-up Vagrant step would unblock the VULNERABLE path verification. Plumbing fixes that landed in the sweep: - core/nft_compat.h — NFTA_CHAIN_FLAGS (kernel 5.7) + NFTA_CHAIN_ID (5.13). Without these, nft_fwd_dup fails to compile against Ubuntu 18.04's 4.15-era nf_tables uapi, which blocked the entire skeletonkey binary from building on that box and prevented verification of ptrace_traceme / sudo_samedit / af_packet. - tools/verify-vm/Vagrantfile — 'privileged: false' on the build-and-verify provisioner. Vagrant's default runs as root; pack2theroot's detect() short-circuits with 'already root — nothing to do' when running as uid 0, which would invalidate every euid-aware module's verification. - tools/verify-vm/targets.yaml — corrected expectations for af_packet (stock 18.04 4.15 is post-fix), pack2theroot (no PackageKit on server cloud image), sudoedit_editor (no sudoers grant), and dirty_pipe (silent Ubuntu backport). - tools/refresh-verifications.py — dedup key changed from (module, vm_box, host_kernel, expect_detect) to (module, vm_box, host_kernel). When an expectation is corrected mid-sweep, the new record cleanly supersedes the old one instead of accumulating. The verifier loop is now production-ready and the trust signal in --list / --module-info / --explain reflects 18 modules confirmed against real Linux. Next-step bucket: - kernel.ubuntu.com mainline integration → unblock 4 PIN_FAIL pins. - Optional PackageKit provisioner on debian12 → unblock pack2theroot VULNERABLE path.	2026-05-23 16:29:50 -04:00
leviathan	48d5f15828	verify-vm sweep: 13 modules confirmed end-to-end + Vagrant fixes ... Sweep results across 3 phases: Phase 1 (no-pin, cached boxes) — 4/5 match: entrybleed ubuntu2204 5.15.0-91-generic match overlayfs ubuntu2004 5.4.0-169-generic match overlayfs_setuid ubuntu2204 5.15.0-91-generic match nft_fwd_dup debian11 5.10.0-27-amd64 match sudoedit_editor ubuntu2204 MISMATCH (no sudoers grant — expected-fix below) Phase 2 (new boxes ubuntu1804 + debian12) — 0/4 match: ptrace_traceme \ sudo_samedit \ all FAILED to build: nft_fwd_dup needs af_packet / NFTA_CHAIN_FLAGS (kernel 5.7), not in 4.15 uapi pack2theroot / pack2theroot also hit 'already root' early-exit (running as root via vagrant provision's default privileged shell) Phase 3 (kernel-pinned) — 4/8 match: cls_route4 ubuntu2004 + 5.15.0-43 HWE match nft_payload ubuntu2004 + 5.15.0-43 HWE match af_packet2 ubuntu2004 + 5.4.0-26 (still in apt!) match sequoia ubuntu2004 + 5.4.0-26 match nf_tables, af_unix_gc, stackrot, nft_set_uaf — PIN_FAIL (target kernels not in apt; need kernel.ubuntu.com mainline integration — deferred) Total: 13 modules verified end-to-end against real Linux VMs, covering kernels 5.4 / 5.10 / 5.15 / 5.4-HWE / 5.15-HWE across Ubuntu 18.04/20.04/22.04 + Debian 11/12. Three fixes for the next retry pass: 1. core/nft_compat.h — added NFTA_CHAIN_FLAGS (kernel 5.7) and NFTA_CHAIN_ID (kernel 5.13). Without these, nft_fwd_dup fails to compile on Ubuntu 18.04's 4.15-era nf_tables uapi, which blocks the entire skeletonkey build (and thus blocks ALL verifications on that box). 2. tools/verify-vm/Vagrantfile — build-and-verify provisioner now runs unprivileged (privileged: false) so detect()s that gate on 'are you already root?' don't short-circuit. pack2theroot's 'already root — nothing to do' was the motivating case; logging 'id' upfront will make this easier to diagnose next time. 3. tools/verify-vm/targets.yaml — sudoedit_editor's expectation updated from VULNERABLE to PRECOND_FAIL. Ubuntu 22.04 ships sudo 1.9.9 (vulnerable version), but the default 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() correctly short-circuits ('vuln version present, no grant to abuse'). Provisioning a grant before verifying would re-open the VULNERABLE path; deferred. Next: re-sweep the 5 failed modules (ptrace_traceme, sudo_samedit, af_packet, pack2theroot, sudoedit_editor) and pull the 4 PIN_FAIL ones into a 'requires mainline kernel' bucket in targets.yaml.	2026-05-23 16:22:10 -04:00
leviathan	67d091dd37	verified_on table — 5 modules empirically confirmed in real VMs ... Closes the loop opened by tools/verify-vm/: every JSON verification record now persists into docs/VERIFICATIONS.jsonl, gets folded into the embedded core/verifications.c lookup table, and surfaces in --list / --module-info / --explain / --scan --json. New: docs/VERIFICATIONS.jsonl Append-only store. One JSON record per verify.sh run. Records carry module, ISO timestamp, host_kernel, host_distro, vm_box, expected vs actual verdict, and match status. 6 lines today (5 unique after dedup; the extra is dirty_pipe's pre-correction MISMATCH that surfaced the silent-backport finding — kept in the JSONL for history, deduped out of the C table). New: tools/refresh-verifications.py Parses VERIFICATIONS.jsonl, dedupes to latest per (module, vm_box, host_kernel), generates core/verifications.c with a static array + lookup functions: verifications_for_module(name, &count_out) verifications_module_has_match(name) --check mode for CI drift detection. New: core/verifications.{h,c} Embedded record table. Lookup is O(corpus); we have <50 records. skeletonkey.c surfacing: - --list: new 'VFY' column shows ✓ for modules with >=1 'match' record. Five modules show ✓ today (pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy, dirty_pipe). - --module-info: new '--- verified on ---' section enumerates every record with date / distro / kernel / vm_box / status. Modules with zero records get a 'run tools/verify-vm/verify.sh <name>' hint. - --explain: new 'VERIFIED ON' section in the operator briefing. - --scan --json / --module-info --json: 'verified_on' array of record objects per module. Verification records baked in: pwnkit Ubuntu 20.04.6 LTS 5.4.0-169 match (polkit 0.105) cgroup_release_agent Debian 11 (bullseye) 5.10.0-27 match netfilter_xtcompat Debian 11 (bullseye) 5.10.0-27 match fuse_legacy Debian 11 (bullseye) 5.10.0-27 match dirty_pipe Ubuntu 22.04.3 LTS 5.15.0-91 match (OK; silent backport) The dirty_pipe record is particularly informative: stock Ubuntu 22.04 ships 5.15.0-91-generic. Our version-only kernel_range check would say VULNERABLE (5.15.0 < 5.15.25 backport in our table). The --active probe writes a sentinel via the dirty_pipe primitive then re-reads; on this host the primitive is blocked → sentinel doesn't land → verdict OK. Ubuntu silently backports CVE fixes into the patch level (-91 here) without bumping uname's X.Y.Z. The targets.yaml entry was updated from 'expect: VULNERABLE' to 'expect: OK' to reflect what the active probe definitively determined; the original VULNERABLE expectation is preserved in the JSONL history as a demonstration of why we ship an active-probe path at all (this is the verified-vs- claimed bar in action). Plumbing fixes that landed in the same loop: - core/nft_compat.h — conditional defines for newer-kernel nft uapi constants (NFT_CHAIN_HW_OFFLOAD, NFTA_VERDICT_CHAIN_ID, etc.) that aren't in Ubuntu 20.04's pre-5.5 linux-libc-dev. Without this, nft_* modules failed to compile inside the verifier guest. Included from each nft module after <linux/netfilter/nf_tables.h>. - tools/verify-vm/Vagrantfile — wrap config in c.vm.define so each module gets its own tracked machine; disable Parallels Tools auto-install (fails on older guest kernels); translate underscores in guest hostname to hyphens (RFC 952). - tools/verify-vm/verify.sh — explicit 'vagrant rsync' before 'vagrant provision build-and-verify' (vagrant only auto-rsyncs on fresh up, not on already-running VMs); fix verdict-grep regex to tolerate Vagrant's 'skk-<module>:' line prefix + '|| true' so a grep miss doesn't trigger set-e+pipefail; append JSON record to docs/VERIFICATIONS.jsonl on every run. - tools/verify-vm/targets.yaml — dirty_pipe retargeted from ubuntu2004 + pinned 5.13.0-19 (no longer in 20.04's apt) to ubuntu2204 stock 5.15.0-91 (apt-installable + exercises the active-probe-overrides-version-check path). What's next for the verifier: - Mainline kernel.ubuntu.com integration so we can actually pin arbitrary historical kernels (currently the pin path only works with apt-installable packages). - Sweep the remaining ~18 verifiable modules and accumulate records. - Per-module verified_on counts in --explain header.	2026-05-23 15:46:14 -04:00
leviathan	f792a3c4a6	verify-vm: close the loop — first successful end-to-end VM verification ... Five fixes that landed us at a working 'verify.sh <module> -> JSON verification record' loop. Tested with pwnkit on generic/ubuntu2004 / Ubuntu 20.04.6 LTS / 5.4.0-169-generic. 1. core/nft_compat.h — shim header that conditionally defines newer- kernel nft uapi constants that aren't in older distro headers: NFT_CHAIN_HW_OFFLOAD kernel 5.5 NFT_CHAIN_BINDING kernel 5.9 NFTA_VERDICT_CHAIN_ID kernel 5.14 NFTA_SET_DESC_CONCAT kernel 5.6 NFTA_SET_EXPR kernel 5.12 NFTA_SET_EXPRESSIONS kernel 5.16 NFTA_SET_ELEM_KEY_END kernel 5.6 NFTA_SET_ELEM_EXPRESSIONS kernel 5.16 Numeric values are stable kernel ABI; the target vulnerable kernel understands them at runtime regardless of the build host's headers. Without this, nf_tables / nft_fwd_dup / nft_payload / nft_set_uaf modules fail to compile on Ubuntu 20.04's libc-dev (5.4 uapi). 2. modules/{nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf}/ skeletonkey_modules.c — each #includes the new compat shim after <linux/netfilter/nf_tables.h>. 3. tools/verify-vm/Vagrantfile — wrap config in 'c.vm.define host do |m| ... end' block so 'vagrant up <skk-MODULE>' finds the machine. (Earlier without define block, vagrant always treated the Vagrantfile as a single anonymous machine.) Also disable Parallels Tools auto- install — it fails on Ubuntu 20.04's 5.4 kernel ('current Linux kernel version is outdated and not supported by latest tools'); we use rsync sync_folder over plain SSH which doesn't need the tools. 4. tools/verify-vm/verify.sh — explicit 'vagrant rsync' before 'vagrant provision build-and-verify' so the source tree gets synced even on already-running VMs (vagrant up runs rsync automatically; vagrant provision does not). 5. tools/verify-vm/verify.sh — fix verdict parser. Vagrant prefixes provisioner stdout with the VM name (' skk-pwnkit: VERDICT: VULNERABLE'), so the previous '^VERDICT: ' regex never matched. New grep allows the prefix; added '|| true' so a grep miss doesn't trigger set-e+pipefail and silently exit the script before the JSON verification record gets emitted. First successful verification record: { "module": "pwnkit", "verified_at": "2026-05-23T19:26:02Z", "host_kernel": "5.4.0-169-generic", "host_distro": "Ubuntu 20.04.6 LTS", "vm_box": "generic/ubuntu2004", "expect_detect": "VULNERABLE", "actual_detect": "VULNERABLE", "status": "match" } SKELETONKEY correctly identifies polkit 0.105 on Ubuntu 20.04 as vulnerable to CVE-2021-4034. The verifier pipeline is now ready for sweep across the rest of the corpus.	2026-05-23 15:26:51 -04:00
leviathan	2c4cde1031	verify-vm: fix Vagrantfile for first real run ... Two issues surfaced during the first end-to-end verification attempt (verify.sh pwnkit, generic/ubuntu2004): 1. 'The machine with the name skk-pwnkit was not found' — the original Vagrantfile used c.vm.box/hostname without a c.vm.define block, so passing a machine name to 'vagrant up <name>' had nothing to match. Wrap every per-machine config in 'c.vm.define host do |m| ... end' so each module gets its own tracked machine in .vagrant/machines/skk-<module>/parallels/. 2. 'Installing the proper version of Parallels Tools' fails on Ubuntu 20.04: 'Error: current Linux kernel version 5.4.0-169-generic is outdated and not supported'. The latest Parallels Tools wants newer guest kernels. We don't need the Tools at all — rsync sync_folder over plain SSH does our source mount. Disable both: p.update_guest_tools = false p.check_guest_tools = false Verified externally (with Apple hypervisor as a temporary bypass during the user's pending Parallels-extension allow + Mac restart): the VM boots, SSH connects, network works. The only remaining gate was the Parallels Tools provisioner now skipped.	2026-05-23 14:59:10 -04:00
leviathan	5071ad4ba9	site: marketing-grade redesign with --explain showcase + animated hero ... Full rewrite of docs/index.html + style.css + new app.js + OG card. Hero - Animated gradient mesh background (3 drifting blurred blobs; respects prefers-reduced-motion). - Space Grotesk display wordmark with subtle white→gray gradient. - Eyebrow chip with pulsing dot showing current release. - Type-on-load install command with blinking cursor in a faux-terminal chrome (traffic-light dots, title bar, copy button). - Stats row that counts up from 0 on first paint: 31 modules, 10 KEV, 119 detection rules, 88 tests. - Primary CTA + secondary 'See --explain in action' + GitHub link. Trust strip - 'Grounded in authoritative sources' row: CISA KEV, NVD CVE API, MITRE ATT&CK, kernel.org stable tree, Debian Security Tracker, NIST CWE. Establishes the federal-data-source provenance. --explain showcase (flagship section) - Big terminal mockup that types out a real --explain nf_tables run line-by-line on scroll-into-view (45-95ms per line, easing). - Four annotation cards explaining each part: triage metadata, host fingerprint, detect() trace, OPSEC footprint. Bento grid (8 feature cards in a varied 3-col layout) - Auto-pick safest exploit (large card with code sample) - 119 detection rules (with animated per-format coverage bars) - CISA KEV prioritized (red-accented) - OPSEC notes per exploit - One host fingerprint, every module (large card with struct excerpt) - JSON for pipelines - No SaaS, no telemetry - Verifier ready (Vagrant + Parallels) Module corpus - Same green/yellow split as before, but every KEV-listed module pill now carries a ★ prefix + red-tinted border so 'actively exploited in the wild' is visible at a glance. Audience - 4 colored cards (red/blue/gray/purple) — pentesters, SOC, sysadmins, researchers — each with a deep link to the right doc. Verified-vs-claimed honesty callout - Featured gradient-bordered card restating the no-fabricated-offsets bar. ✓ icon, project's defining trust claim. Quickstart - Tabbed: install / scan / explain / auto / detect-rules. Each tab is a short, copy-ready snippet with inline comments. Roadmap timeline - Three columns: shipped / in flight / next. Shipped lists every feature from the last several sessions (--explain, OPSEC, CWE/ ATT&CK/KEV pipeline, 119 rules, host refactor, 88 tests, drift detector, VM scaffold). Next lists arm64 musl, mass-fleet aggregator, SIEM query templates, CI hardening. Footer - Four-column gradient footer (Brand / Project / Docs / Ethics) + bottom bar with credits to original PoC authors + license + repo link. Tech - Typography: Inter (UI) + JetBrains Mono (code) + Space Grotesk (display wordmark), all via Google Fonts with display=swap. - Palette: deep purple-tinted dark (#07070d) + emerald accent (#10b981) + cyan secondary (#06b6d4) + KEV-red (#ef4444) + violet (#a855f7) for threat-intel framing. - CSS: ~28KB unminified, custom-properties driven; gracefully degrades to single-column on every grid section at narrow widths. - JS: ~8KB vanilla, no frameworks. Respects prefers-reduced-motion everywhere. IntersectionObserver-driven scroll reveal and stat-count-up. - OG image: hand-authored SVG → rsvg-convert → 1200x630 PNG (121KB). Renders cleanly when shared on Twitter/LinkedIn/Slack. - 4 new files: app.js, og.svg, og.png; rewrites: index.html, style.css. Refreshed content: - v0.5.0 → v0.6.0 throughout. - '28 verified modules' → 31. - Adds KEV cross-ref, --explain, OPSEC, ATT&CK/CWE callouts that didn't exist in the previous version. HTML structure validated balanced (Python html.parser smoke test).	2026-05-23 11:42:56 -04:00
leviathan	554a58757e	tools/verify-vm: turnkey Vagrant + Parallels verification scaffolding ... Closes the gap between 'detect() compiles and passes unit tests' and 'exploit() actually works on a real vulnerable kernel'. One-time setup + one command per module to verify against a known-vulnerable guest, with results emitted as JSON verification records. Files: setup.sh — one-shot bootstrap. Installs Vagrant via brew if missing, installs vagrant-parallels plugin, pre- downloads 5 base boxes (~5 GB): generic/ubuntu1804 (4.15.0) generic/ubuntu2004 (5.4.0 + HWE) generic/ubuntu2204 (5.15.0 + HWE) generic/debian11 (5.10.0) generic/debian12 (6.1.0) Idempotent; can pass --boxes subset. Vagrantfile — single parameterized config driven by SKK_VM_* env vars. Provisioners: build-deps install, kernel pin (apt + snapshot.debian.org fallback), build-and-verify (kept run='never' so verify.sh invokes explicitly after reboot if pin'd). targets.yaml — module → (box, kernel_pkg, kernel_version, expect_detect, notes) mapping for all 26 modules. 3 marked manual: true (vmwgfx needs VMware guest; dirtydecrypt + fragnesia need Linux 7.0 not yet shipping as distro kernel). verify.sh — entrypoint. 'verify.sh <module>' provisions if needed, pins kernel + reboots if needed, runs 'skeletonkey --explain --active' inside the VM, parses VERDICT, compares to expect_detect, emits JSON verification record. --list shows the full target matrix. --keep / --destroy lifecycle flags. README.md — workflow + extending the targets table. Design notes: - Pure bash + awk targets.yaml parsing — no PyYAML dep (macOS Python is PEP-668 'externally managed' and refuses pip --user installs). - Sources of vulnerable kernel packages: stock distro kernels where they're below the fix backport, otherwise pinned via apt with snapshot.debian.org as last-resort fallback (the Debian apt snapshot archive is the canonical source for historical kernel .deb packages). - Repo mounted at /vagrant via rsync (not 9p — vagrant-parallels' 9p is finicky on macOS Sequoia per the plugin issue tracker). - VM lifecycle defaults to suspend-after-verify so the next run resumes in ~5s instead of cold-booting. - kernel pin reboots are handled by checking 'uname -r' after the pin provisioner and triggering 'vagrant reload' if mismatched. Verification records (JSON on stdout per run) are intended to feed a per-module verified_on[] table in a follow-up commit — that's the 'permanent trust artifact' angle from the earlier roadmap discussion. Smoke tests (no VM actually spun up): - 'verify.sh --list': renders the 26-module matrix correctly. - 'verify.sh nf_tables': dispatches to generic/ubuntu2204 + kernel 5.15.0-43 + expect=VULNERABLE; fails cleanly at 'vagrant: command not found' (expected — user runs setup.sh first). - 'verify.sh vmwgfx': errors with 'is marked manual: true' + note. .gitignore: tools/verify-vm/{logs,.vagrant}/ excluded. Usage: ./tools/verify-vm/setup.sh # one time, ~5 min ./tools/verify-vm/verify.sh nf_tables # ~5 min first run, ~1 min after ./tools/verify-vm/verify.sh --list # show all targets	2026-05-23 11:19:28 -04:00
leviathan	8ab49f36f6	detection rules: complete sigma/yara/falco coverage across the corpus ... Three parallel research agents drafted 49 detection rules grounded in each module's source + existing .opsec_notes string + existing .detect_auditd counterpart. A one-shot tools/inject_rules.py wrote them into the right files and replaced the .detect_<format> = NULL placeholders. Coverage matrix (modules with each format / 31 total): before after auditd 30 / 31 30 / 31 (entrybleed skipped by design) sigma 19 / 31 31 / 31 (+12 added) yara 11 / 31 28 / 31 (+17 added; 3 documented skips) falco 11 / 31 30 / 31 (+19 added; entrybleed skipped) Documented skips (kept as .detect_<format> = NULL with comment): - entrybleed: yara + falco + auditd. Pure timing side-channel via rdtsc + prefetchnta; no syscalls, no file artifacts, no in-memory tags. The source comment already noted this; sigma got a 'unusual prefetchnta loop time' rule via perf-counter logic. - ptrace_traceme: yara. Pure in-memory race; no on-disk artifacts or persistent strings to match. Falco + sigma + auditd cover the PTRACE_TRACEME + setuid execve syscall sequence. - sudo_samedit: yara. Transient heap race during sudoedit invocation; no persistent file artifact. Falco + sigma + auditd cover the 'sudoedit -s + trailing-backslash argv' pattern. Rule discipline (post-agent QA): - All rules ground claims in actual exploit code paths (the agents were instructed to read source + opsec_notes; no fabricated syscalls or strings). - Two falco rules were narrowed by the agent to fire only when proc.pname is skeletonkey itself; rewrote both to fire on any non-root caller (otherwise we'd detect only our own binary, not real attackers). - Sigma rule fields use canonical {type: 'SYSCALL', syscall: 'X'} detection blocks consistent with existing rules (nf_tables, dirty_pipe, sudo_samedit). - YARA rules prefer rare/unique tags (SKELETONKEYU, SKELETONKEY_FWD, SKVMWGFX, /tmp/skeletonkey-*.log) over common bytes — minimizes false positives. - Every rule tagged with attack.privilege_escalation + cve.YYYY.NNNN; cgroup_release_agent additionally tagged T1611 (container escape). skeletonkey.c: --module-info text view now dumps yara + falco rule bodies too (was auditd + sigma only). All 4 formats visible per module. Verification: - macOS local: clean build, 33 kernel_range tests pass. - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails. - --module-info nf_tables / af_unix_gc / etc.: 'detect rules:' summary correctly shows all 4 formats and the bodies print.	2026-05-23 11:10:54 -04:00
leviathan	ee3e7dd9a7	skeletonkey: --explain MODULE — single-page operator briefing ... One command that answers 'should we worry about this CVE here, what would patch it, and what would the SOC see if someone tried it'. Renders, for the specified module: - Header: name + CVE + summary - WEAKNESS: CWE id and MITRE ATT&CK technique (from CVE metadata) - THREAT INTEL: CISA KEV status (with date_added if listed) and the upstream-curated kernel_range - HOST FINGERPRINT: kernel + arch + distro from ctx->host plus every relevant capability gate (userns / apparmor / selinux / lockdown) - DETECT() TRACE (live): runs the module's detect() with verbose stderr enabled so the operator sees the gates fire in real time — 'kernel X is patched', 'userns blocked by AppArmor', 'no readable setuid binary', etc. - VERDICT: the result_t with a one-line operator interpretation that varies by outcome (OK / VULNERABLE / PRECOND_FAIL / TEST_ERROR each get their own framing) - OPSEC FOOTPRINT: word-wrapped .opsec_notes paragraph (from last commit) showing what an exploit would leave behind on this host - DETECTION COVERAGE: which of auditd/sigma/yara/falco have embedded rules for this module, with pointers to the --module-info / --detect-rules commands that dump the bodies Targeted at every audience the project is meant to serve: - Red team: opsec footprint + 'would this even reach' verdict in one screen - Blue team: paste-ready triage ticket with CVE / CWE / ATT&CK / KEV header and detection-coverage matrix - Researchers: the live trace shows the reasoning chain (predates check, kernel_range_is_patched lookup, userns gate) that drove the verdict — auditable without reading source - SOC analysts / students: a single self-contained briefing per CVE, no cross-referencing needed Implementation: - New mode MODE_EXPLAIN, new flag --explain MODULE - cmd_explain() composes the page from the existing module struct, cve_metadata_lookup() (federal-source triage data), ctx->host (cached fingerprint), and a live detect() call - print_wrapped() helper word-wraps the long .opsec_notes paragraph at 76 cols / 2-space indent - Help text + README quickstart + DETECTION_PLAYBOOK single-host recipe all updated to mention --explain Smoke tests: - macOS: --explain nf_tables shows full briefing; trace says 'Linux-only module — not applicable here'; verdict PRECOND_FAIL with the generic-precondition interpretation - Linux (docker gcc:latest): --explain nf_tables on a 6.12 host fires '[+] nf_tables: kernel 6.12.76-linuxkit is patched'; verdict OK with the 'this host is patched' interpretation - Both: --explain nope (unknown module) returns 1 with a clear 'no module ... Try --list' error - Both: 87 tests still pass (33 kernel_range + 54 detect on Linux, 33 + 0 stubbed on macOS) Closes the metadata + opsec + explain trio. The three together answer the 'best tool for red team, blue team, researchers, and more' framing.	2026-05-23 10:49:46 -04:00
leviathan	39ce4dff09	modules: per-module OPSEC notes — telemetry footprint per exploit ... Adds .opsec_notes to every module's struct skeletonkey_module (31 entries across 26 module files). One paragraph per exploit describing the runtime footprint a defender/SOC would see: - file artifacts created/modified (exact paths from source) - syscall observables (the unshare / socket / setsockopt / splice / msgsnd patterns the embedded detection rules look for) - dmesg signatures (silent on success vs KASAN oops on miss) - network activity (loopback-only vs none) - persistence side-effects (/etc/passwd modification, dropped setuid binaries, backdoors) - cleanup behaviour (callback present? what it restores?) Each note is grounded in the module's source code + its existing auditd/sigma/yara/falco detection rules — the OPSEC notes are literally the inverse of those rules (the rules describe what to look for; the notes describe what the exploit triggers). Three intelligence agents researched the modules in parallel, reading source + MODULE.md, then their proposals were embedded verbatim via tools/inject_opsec.py (one-shot script, not retained). Where surfaced: - --module-info <name>: '--- opsec notes ---' section between detect-rules summary and the embedded auditd/sigma rule bodies. - --module-info / --scan --json: 'opsec_notes' top-level string. Audience uses: - Red team: see what footprint each exploit leaves so they pick chains that match the host's telemetry posture. - Blue team: the notes mirror the existing detection rules from the attacker side — easy diff to find gaps in their SIEM coverage. - Researchers: per-exploit footprint catalog for technique analysis. copy_fail_family gets one shared note across all 5 register entries (copy_fail, copy_fail_gcm, dirty_frag_esp, dirty_frag_esp6, dirty_frag_rxrpc) since they share exploit infrastructure. Verification: - macOS local: clean build, --module-info nf_tables shows full opsec section + CWE + ATT&CK + KEV row from previous commit. - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails. Next: --explain mode (uses these notes + the triage metadata to render a single 'why is this verdict, what would patch fix it, and what would the SOC see' page per module).	2026-05-23 10:45:38 -04:00
leviathan	e4a600fef2	module metadata: CWE + ATT&CK + CISA KEV triage from federal sources ... Adds per-CVE triage annotations that turn SKELETONKEY's JSON output into something a SIEM/CTI/threat-intel pipeline can route on, and a KEV badge in --list so operators see at-a-glance which modules cover actively-exploited bugs. New tool — tools/refresh-cve-metadata.py: - Discovers CVEs by scanning modules/<dir>/ (no hardcoded list). - Fetches CISA's Known Exploited Vulnerabilities catalog (https://www.cisa.gov/.../known_exploited_vulnerabilities.csv). - Fetches CWE classifications from NVD's CVE API 2.0 (services.nvd.nist.gov), throttled to the anonymous 5-req/30s limit (~3 minutes for 26 CVEs). - Hand-curated ATT&CK technique mapping (T1068 default; T1611 for container escapes, T1082 for kernel info leaks — MITRE doesn't publish a clean CVE→technique feed). - Generates three outputs: docs/CVE_METADATA.json machine-readable, drift-checkable docs/KEV_CROSSREF.md human-readable table core/cve_metadata.c auto-generated lookup table - --check mode diffs the committed JSON against a fresh fetch for CI drift detection. New core API — core/cve_metadata.{h,c}: struct cve_metadata { cve, cwe, attack_technique, attack_subtechnique, in_kev, kev_date_added }; const struct cve_metadata *cve_metadata_lookup(const char *cve); Lookup keyed by CVE id, not module name — the metadata is properties of the CVE (two modules covering the same bug see the same metadata). The opsec_notes field stays on the module struct because exploit technique varies per-module (different footprints). Output surfacing: - --list: new KEV column shows ★ for KEV-listed CVEs. - --module-info (text): prints cwe / att&ck / 'in CISA KEV: YES (added YYYY-MM-DD)' between summary and operations. - --module-info / --scan (JSON): emits a 'triage' subobject with the full record, plus an 'opsec_notes' field at top level when set. Initial snapshot: - 10 of 26 modules cover KEV-listed CVEs (dirty_cow, dirty_pipe, pwnkit, sudo_samedit, ptrace_traceme, fuse_legacy, nf_tables, overlayfs, overlayfs_setuid, netfilter_xtcompat). - 24 of 26 have NVD CWE mappings; 2 unmapped (NVD has no weakness record for CVE-2019-13272 and CVE-2026-46300 yet). - All 26 mapped to an ATT&CK technique. Verification: - macOS local: 33 kernel_range + clean build, --module-info shows 'in CISA KEV: YES (added 2024-05-30)' for nf_tables, --list KEV column renders. - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails. Follow-up commits will add per-module OPSEC notes and --explain mode.	2026-05-23 10:38:01 -04:00
leviathan	60d22eb4f6	core/host: add meltdown_mitigation passthrough + migrate entrybleed ... The kpti_enabled bool in struct skeletonkey_host flattens three distinct sysfs states into one bit: /sys/devices/system/cpu/vulnerabilities/meltdown content: - 'Not affected' → CPU is Meltdown-immune; KPTI off; EntryBleed doesn't apply (verdict: OK) - 'Mitigation: PTI' → KPTI on (verdict: VULNERABLE) - 'Vulnerable' → KPTI off but CPU not hardened (rare; verdict: VULNERABLE conservatively) - file unreadable → unknown (verdict: VULNERABLE conservatively) kpti_enabled=true only captures 'Mitigation: PTI'; kpti_enabled=false collapses 'Not affected', 'Vulnerable', and 'unreadable' into one indistinguishable case. That meant entrybleed_detect() had to re-open the sysfs file to recover the raw string. Fix by also stashing the raw first line in ctx->host->meltdown_mitigation[64]. kpti_enabled stays for callers that only need the simple bool; new code that needs the nuance reads the string. populate happens once at startup, like every other host field. entrybleed migration: - reads ctx->host->meltdown_mitigation instead of opening sysfs - removes the file-local read_first_line() helper (now dead code) - same three-way verdict logic, but driven by a const char * instead of a fresh fopen() each detect() Test coverage: - 3 new test rows on x86_64 fingerprints: empty mitigation → VULNERABLE (conservative) 'Not affected' → OK 'Mitigation: PTI' → VULNERABLE - 1 stub-path test row on non-x86_64 fingerprints (PRECOND_FAIL) - registry coverage report: 30/31 modules now have direct tests (up from 29/31; copy_fail is the only remaining untested module) Verification: - macOS: 33 kernel_range + 1 entrybleed-stub = 34 passes, 0 fails - Linux (docker gcc:latest): 33 kernel_range + 54 detect = 87 passes, 0 fails. Up from 83 last commit.	2026-05-23 01:14:38 -04:00
leviathan	e2fef41667	.gitignore: add /skeletonkey-test-kr (new kernel_range unit-test binary)	2026-05-23 01:09:40 -04:00
leviathan	8243817f7e	test harness: kernel_range unit tests + coverage report + register_all helper ... Three coupled improvements to the test harness: 1. New tests/test_kernel_range.c — 32 pure unit tests covering kernel_range_is_patched(), skeletonkey_host_kernel_at_least(), and skeletonkey_host_kernel_in_range(). These are the central comparison primitives every module routes through; a regression in any of them silently mis-classifies entire CVE families. Tests cover exact boundary, one-below, mainline-only, multi-LTS, between-branch, and NULL-safety cases. Builds and runs cross-platform (no Linux syscalls). 2. tests/test_detect.c additions: - mk_host(base, major, minor, patch, release) builder so new fingerprint-based tests don't duplicate 14-line struct literals to override one (major, minor, patch) triple. - Post-run coverage report that iterates the runtime registry and warns about modules without at least one direct test row. Output is informational (no CI fail) so coverage grows incrementally. - 7 new boundary tests for the kernel_patched_from entries added by tools/refresh-kernel-ranges.py (commit 8de46e2): - af_unix_gc 6.4.12 → VULNERABLE / 6.4.13 → OK - vmwgfx 5.10.127 → OK - nft_set_uaf 5.10.179 → OK / 6.1.27 → OK - nft_payload 5.10.162 → OK - nf_tables 5.10.209 → OK 3. core/registry_all.c — extracts the 27-line 'call every skeletonkey_register_<family>()' enumeration from skeletonkey.c into a shared helper. skeletonkey.c main() now calls skeletonkey_register_all_modules() once; the detect-test main() does the same. Kept in its own translation unit so registry.c stays standalone for the lean kernel_range unit-test binary (which links core/ only, no modules). Makefile: builds two test binaries now — skeletonkey-test — detect() integration tests (full corpus) skeletonkey-test-kr — kernel_range unit tests (core/ only) 'make test' runs both. Verification: - macOS: 32/32 kernel_range tests pass; detect tests skipped (non-Linux platform, stubbed bodies). - Linux (docker gcc:latest): 32/32 kernel_range + 51/51 detect. Coverage report identifies 2 modules without direct tests (copy_fail, entrybleed) out of 31 registered. Test counts: 44 -> 83 (+39).	2026-05-23 01:09:30 -04:00
leviathan	8de46e212e	kernel_range: refresh tables from Debian tracker — 5 MISSING adds + 4 off-by-one harmonisations ... First batch of fixes surfaced by tools/refresh-kernel-ranges.py. Drift drops from 18 actionable findings (5 MISSING + 13 TOO_TIGHT) to 13 (now only 1 MISSING + 12 TOO_TIGHT). The remaining TOO_TIGHT findings all involve threshold-version drops of 2+ patch versions; those need per-commit verification against git.kernel.org/linus before applying (saving for a follow-up). MISSING adds — branches Debian has fixed that we had no entry for: af_unix_gc (CVE-2023-4622): + {6, 4, 13} stable 6.4.x (forky/sid/trixie all at this version) dirtydecrypt (CVE-2026-31635): + {6, 19, 13} stable 6.19.x (forky/sid) — our previous table only listed mainline 7.0.0; Debian is shipping the fix on the 6.19 branch ahead of 7.0 release. overlayfs_setuid (CVE-2023-0386): + {5, 10, 179} stable 5.10.x (bullseye) vmwgfx (CVE-2023-2008): + {5, 10, 127} stable 5.10.x (bullseye) + {5, 18, 14} stable 5.18.x (bookworm/forky/sid/trixie) TOO_TIGHT harmonisations — single-patch-version differences, almost certainly off-by-one curation errors on our side: nf_tables (CVE-2024-1086): {5, 10, 210} -> {5, 10, 209} (Debian bullseye) nft_payload (CVE-2023-0179): {5, 10, 163} -> {5, 10, 162} (Debian bullseye) nft_set_uaf (CVE-2023-32233): {5, 10, 180} -> {5, 10, 179} (Debian bullseye) {6, 1, 28} -> {6, 1, 27} (Debian bookworm) Larger TOO_TIGHT diffs deferred: - cgroup_release_agent (5.16.9 -> 5.16.7, diff 2) - cls_route4 (5.18.18 -> 5.18.16, diff 2; 5.10.143 -> 5.10.136, diff 7) - dirty_cow (4.7.10 -> 4.7.8, diff 2) - dirty_pipe (5.10.102 -> 5.10.92, diff 10) - netfilter_xtcompat (5.10.46 -> 5.10.38, diff 8) - overlayfs_setuid (6.1.27 -> 6.1.11, diff 16) - ptrace_traceme (4.19.58 -> 4.19.37, diff 21) - sequoia (5.10.52 -> 5.10.46, diff 6) These need per-commit confirmation against the upstream-stable kernel changelog before lowering our threshold. Conservatively keeping the current (more strict) values until each is verified. Verification: - Linux (docker gcc:latest + libglib2.0-dev + sudo): 44/44 tests pass, full build clean. - macOS (local): 31-module build clean. - tools/refresh-kernel-ranges.py rerun: drift reduced 18 -> 13.	2026-05-23 00:58:04 -04:00
leviathan	df4b879527	tools: refresh-kernel-ranges.py — Debian tracker drift detection ... Standalone Python script that pulls Debian's security-tracker JSON and compares each module's hardcoded kernel_patched_from table against the fixed-versions Debian actually ships. Surfaces real drift the no-fabrication rule needs us to fix: MISSING — Debian has a fix on a kernel branch we have no entry for. Module's detect() would say VULNERABLE on a host that's actually patched. TOO_TIGHT — Our threshold is later than Debian's earliest fix on the same branch. Module would call a patched host VULNERABLE. False-positive on production fleets. INFO — Our threshold is earlier than Debian's. We're more permissive; usually fine (we tracked a different upstream-stable cut), but flagged for review. Three output modes: default (text) — human-readable report on stderr --json — machine-readable for CI / dashboards --patch — unified-diff-style proposed C-source edits --refresh — bypass the 12h cache TTL and re-fetch Implementation: - urllib (no pip deps) fetches the ~70MB tracker JSON. - Cached at /tmp/skeletonkey-debian-tracker.json with 12h TTL. - Parses every modules/*/skeletonkey_modules.c for the .cve = '...' field + the kernel_patched_from <name>[] = { {M,m,p}, ... } array. - Per CVE, builds {debian_release -> upstream_version_tuple} from the tracker's 'releases.*.fixed_version' field (stripping Debian -N / +bN / ~bpoN suffixes to recover the upstream version). - Groups by (major, minor) branch; flags MISSING / TOO_TIGHT / INFO. - Exits non-zero when MISSING or TOO_TIGHT findings exist (suitable for a CI 'detect-drift' job). First-run output found drift in 17 of 20 modules with kernel_range tables — operator-reviewable. NOT auto-applied; this commit only ships the diagnostic tool, not the suggested fixes. README's Contributing section now points at the tool.	2026-05-23 00:52:10 -04:00
leviathan	6b6d638d98	.gitignore: exclude release build artifacts at repo root ... A few release-binary artifacts slipped into the previous commit (skeletonkey-x86_64-static + .sha256). Untrack them and pre-emptively extend the ignore list to cover every release-asset filename pattern the workflow + manual uploads can produce.	2026-05-23 00:47:25 -04:00
leviathan	8938a74d04	detection rules: YARA + Falco for the 6 highest-rank modules + playbook ... Closes the 'rules in the box' gap — the README has claimed YARA + Falco coverage but detect_yara and detect_falco were NULL on every module. This commit lights up both formats for the 6 highest-value modules (covering 10 of 31 registered modules via family-shared rules), and the existing operational playbook gains the format-specific deployment recipes + the cross-format correlation table. YARA rules (8 rules, 9 module-headers, 152 lines): - copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password (shared across copy_fail / copy_fail_gcm / dirty_frag_esp / dirty_frag_esp6 / dirty_frag_rxrpc) - dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag - dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve shellcode tail, detects the page-cache overlay landing - fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid cascade, detects the 192-byte page-cache overlay - pwnkit — gconv-modules cache file format (small text file with module UTF-8// X// /tmp/...) - pack2theroot — malicious .deb (ar archive + SUID-bash postinst) + /tmp/.suid_bash artifact scan Falco rules (13 rules, 9 module-headers, 219 lines): - pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root - copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from unprivileged userns + /etc/passwd modified by non-root - dirty_pipe — splice() of setuid/credential file by non-root - dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root - fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary - pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction Wiring: each module's .detect_yara and .detect_falco struct fields now point at the embedded string. The dispatcher dedups by pointer, so family-shared rules emit once across the 5 sub-modules. docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines): - New 'YARA artifact scanning' subsection under SIEM integration with scheduled-scan cron pattern + per-rule trigger table - New 'Falco runtime detection' subsection with deploy + per-rule trigger table - New 'Per-module detection coverage' table — 4-format matrix - New 'Correlation across formats' section — multi-format incident signature per exploit (the 3-of-4 signal pattern) - New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough from Falco page through yara confirmation, recovery, hunt + patch The existing operational lifecycle / SIEM patterns / FP tuning content is preserved unchanged — this commit only adds. Final stats: - auditd: 109 rule statements across 27 modules - sigma: 16 sigma rules across 19 modules - yara: 8 yara rules across 9 module headers (5 family + 4 distinct) - falco: 13 falco rules across 9 module headers The remaining 21 modules can gain YARA / Falco coverage incrementally by populating their detect_yara / detect_falco struct fields.	2026-05-23 00:47:13 -04:00
leviathan	027fc1f9dd	release.yml: add static-musl x86_64 build (Alpine) ... Adds a third matrix job that builds a static-musl binary on Alpine so future tags ship 4 assets per arch: dynamic + static. The dynamic x86_64 build (gcc on ubuntu-latest) hits a glibc-version ceiling — built against glibc 2.39, refuses to run on Debian 12 (2.36), RHEL 8/9, etc. install.sh now fetches the static asset by default for x86_64; the dynamic remains available via SKELETONKEY_DYNAMIC=1. Static build details: - Alpine container (native musl + linux-headers from apk). - -DMSG_COPY=040000 covers the only musl-vs-glibc gap (netfilter_xtcompat uses MSG_COPY, which is a Linux-kernel constant that glibc exposes but musl omits — kernel header: include/uapi/linux/msg.h). - LDFLAGS=-static produces a static-PIE ELF (~1.2 MB). - Cross-distro verified locally: Alpine-built binary runs on Debian/Ubuntu/Fedora/RHEL. Locally-built static binary was uploaded to v0.6.2 by hand to unblock the one-liner installer immediately.	2026-05-23 00:30:13 -04:00
leviathan	72ac6f8774	install.sh: prefer x86_64-static binary by default (portable across libc versions) ... The dynamic binary requires glibc 2.38+ — built on ubuntu-latest (2.39+), it refuses to load on Debian 12 (glibc 2.36), older Ubuntu, RHEL 8/9, etc. Hard portability ceiling for the one-liner installer. The musl-static binary (built on Alpine, attached as skeletonkey-x86_64-static) runs on every libc — verified Alpine → Debian/Ubuntu/Fedora/RHEL cross-distro. Costs ~800 KB extra (1.2 MB vs 390 KB) but eliminates the libc-version problem entirely. Default: install.sh now fetches the -static asset for x86_64. Override: SKELETONKEY_DYNAMIC=1 curl … | sh fetches the smaller dynamic binary (for hosts that have modern glibc and want the smaller download). arm64: no static variant attached yet (cross-compiling musl for aarch64 needs a separate toolchain); install.sh still fetches the dynamic arm64 binary, which works on most modern arm64 distros (raspberry-pi / aws graviton / etc.). v0.6.2	2026-05-23 00:28:36 -04:00
leviathan	fde053a27e	install.sh: POSIX-compatible 'set -o pipefail' so 'curl | sh' works ... The README documents the one-liner as 'curl ... install.sh | sh', but on Debian/Ubuntu /bin/sh is dash which rejects 'set -o pipefail' unknown option. The shebang #!/usr/bin/env bash is honored only when the script is invoked directly — when piped via 'curl | sh' the running shell IS dash. Fix: split the strict-mode setup. 'set -eu' is POSIX-portable (every shell). 'pipefail' is then enabled conditionally only on shells that recognise it. Every curl/tar/install step in the rest of the script checks its own exit code, so losing pipefail in dash costs no behaviour — the installer still fails fast on any error. v0.6.1	2026-05-23 00:24:58 -04:00
leviathan	97be306fd2	release: bump version to v0.6.0 ... This release captures the session's reliability + accuracy work on top of v0.5.0: - Shared host fingerprint (core/host.{h,c}): kernel/distro/userns gates / sudo + polkit versions, populated once at startup; every module consults ctx->host instead of doing its own probes. - Test harness (tests/test_detect.c, make test): 44 unit tests over mocked host fingerprints, wired into CI as a non-root step. - --auto upgrades: auto-enables --active, per-detect 15s timeout, fork-isolated detect + exploit so a crashing module can't tear down the dispatcher, per-module verdict table + scan summary. - --dry-run flag (preview without firing; --i-know not required). - Pinned mainline fix commits for the 3 ported modules (dirtydecrypt / fragnesia / pack2theroot) — detect() is now version-pinned with kernel_range tables, not precondition-only. - New modules: dirtydecrypt (CVE-2026-31635), fragnesia (CVE-2026-46300), pack2theroot (CVE-2026-41651). - macOS dev build works for the first time (all Linux-only code wrapped in #ifdef __linux__). - docs/JSON_SCHEMA.md: stable consumer contract for --scan --json. Version bump: - SKELETONKEY_VERSION = '0.6.0' in skeletonkey.c - README status line updated with the v0.6.0 changelog - docs/JSON_SCHEMA.md example refreshed v0.6.0	2026-05-23 00:22:18 -04:00
leviathan	a9c8f7d8c6	tests: 5 happy-path VULNERABLE assertions (44 total) ... Adds h_kernel_5_14_userns_ok fingerprint (vulnerable kernel + userns allowed) and uses it to assert the VULNERABLE branch is reached on the 5 netfilter-class modules whose detect() short-circuits there once both gates are satisfied: - nf_tables (CVE-2024-1086) -> VULNERABLE - cls_route4 (CVE-2022-2588) -> VULNERABLE - nft_set_uaf (CVE-2023-32233) -> VULNERABLE - nft_fwd_dup (CVE-2022-25636) -> VULNERABLE - nft_payload (CVE-2023-0179) -> VULNERABLE Combined with the earlier sudo_samedit and pwnkit vulnerable-version tests, this gives us positive-verdict coverage on 7 modules (was 2). The detect() logic that decides VULNERABLE when conditions match is now exercised, not just the precondition short-circuits. 39 -> 44 cases, all pass on Linux.	2026-05-23 00:17:17 -04:00
leviathan	150f16bc97	pwnkit + sudoedit_editor: ctx->host migration + 4 more tests (39 total) ... pwnkit: migrate detect() to consult ctx->host->polkit_version with the same graceful-fallback pattern as the sudo modules. The version is populated once at startup by core/host.c (via pkexec --version); detect() skips the per-scan popen when the host fingerprint has the version. Falls back to the inline popen path when ctx->host is missing the version (degenerate test contexts). sudoedit_editor: already migrated; this commit adds direct test coverage. tests/test_detect.c expansion (35 → 39): - pwnkit: polkit_version='0.105' -> VULNERABLE (pre-0.121 fix) - pwnkit: polkit_version='0.121' -> OK (fix release) - sudoedit_editor: vuln sudo + no sudoers grant -> PRECOND_FAIL (documented behaviour: vulnerable version, but the dispatcher has no usable sudoedit grant on the host) - sudoedit_editor: fixed sudo (1.9.13p1) -> OK The sudoedit_editor 'vuln + no grant' case is the first test to exercise the second-level precondition gate AFTER the version check passes — proves the version-pinned detect logic AND the sudo -ln target-discovery short-circuit both work as intended. The h_vuln_sudo / h_fixed_sudo synthetic fingerprints gained the .polkit_version field alongside .sudo_version so a single fingerprint exercises both pwnkit and the sudo modules. Verification: 39/39 pass on Linux (docker gcc:latest + libglib2.0-dev + sudo, non-root user skeletonkeyci). macOS dev box still reports 'skipped — Linux-only' as designed.	2026-05-23 00:15:01 -04:00
leviathan	c63ee72aa1	docs: JSON output schema (consumer contract for --scan --json) ... Adds docs/JSON_SCHEMA.md documenting the shape and stability promises of the JSON document --scan --json emits on stdout. The schema is already what the binary produces — this commit pins the contract so fleet-scan / SIEM consumers can rely on it across releases. What it covers: - Top-level object: { version, modules } and field stability. - Per-module entry: { name, cve, result } with type + stability. - The 6-value result enum (OK / TEST_ERROR / VULNERABLE / EXPLOIT_FAIL / PRECOND_FAIL / EXPLOIT_OK) and what each means semantically. - Process exit-code semantics for --scan (worst observed result becomes the exit code — lets a SIEM treat the binary exit as a single-host alert level). - Bash + jq one-liners for the common fleet-roll-up patterns. - A recommended Python consumer pattern with the forward-compat guidance (ignore unknown fields, treat unknown result strings as TEST_ERROR-equivalent). - Explicit stability promises: which fields cannot change without a major-version bump, what may be added in future minor releases, what consumers MUST tolerate. Verified against the live binary: --scan --json produces exactly the documented shape (top-level keys {modules, version}; per-module keys {cve, name, result}; result values come from the documented enum). 31 modules / 30 unique CVEs at v0.5.0. README's 'Sysadmins' audience row now links the schema doc: 'JSON output for CI gates ([schema](docs/JSON_SCHEMA.md))'.	2026-05-23 00:07:45 -04:00
leviathan	86812b043d	core/host: userspace version fingerprint (sudo, polkit) ... The host fingerprint now captures sudo + polkit versions at startup so userspace-LPE modules can consult a single source of truth instead of each popen-ing the relevant binary themselves on every scan. Pack2theroot already queries PackageKit version via D-Bus in-module, so PackageKit stays there for now. core/host.h: - new fields: char sudo_version[64], char polkit_version[64]. Empty string when the tool isn't installed or version parse fails; modules should treat that as PRECOND_FAIL. - documented next to has_systemd / has_dbus_system in the struct. core/host.c: - new populate_userspace_versions(h) called from skeletonkey_host_get() after the other populators. - capture_first_line() helper runs a command via popen, grabs first stdout line, strips newline. Best-effort: failure leaves dst empty. - extract_version_after_prefix() pulls the version token after a fixed prefix string ('Sudo version', 'pkexec version'), handling the colon/space variants. - skeletonkey_host_print_banner() gained a third line when either version is non-empty: [*] userspace: sudo=1.9.17p2 polkit=- Module migration (graceful fallback pattern — modules still work without ctx->host populated): - sudo_samedit detect: if ctx->host->sudo_version is set, skip the popen and synthesize a 'Sudo version <X>' line for the existing parser. Falls back to the original find_sudo + popen path if the host fingerprint didn't capture a version. - sudoedit_editor detect: same pattern — host fingerprint sudo_version takes precedence over the local get_sudo_version popen. tests/test_detect.c additions (2 new cases, 33 → 35): - h_vuln_sudo fingerprint (sudo_version='1.8.31', kernel 5.15) — asserts sudo_samedit reports VULNERABLE via the host-provided version string. - h_fixed_sudo fingerprint (sudo_version='1.9.13p1', kernel 6.12) — asserts sudo_samedit reports OK on a patched sudo. This is the first test pair to cover the *vulnerable* path of a module rather than just precondition gates — proves the version-parsing logic itself, not only the short-circuits. Verification: 35/35 pass on Linux. macOS banner shows 'userspace: sudo=1.9.17p2 polkit=-' as the dev box has Homebrew sudo but no polkit.	2026-05-23 00:05:39 -04:00
leviathan	0d87cbc71c	copy_fail_family: bridge-level userns gate + 4 new tests (33 total) ... The 4 dirty_frag siblings + the GCM variant all gate on unprivileged user-namespace creation (the XFRM-ESP / AF_RXRPC paths are unreachable without it). The inner DIRTYFAIL detect functions already check this, but the check happened deep inside the legacy code — invisible to the test harness, and the bridge wrappers would delegate first and only short-circuit afterwards. Move the check up to the bridge: a single cff_check_userns() helper inspects ctx->host->unprivileged_userns_allowed and returns PRECOND_FAIL (with a host-fingerprint-annotated message) BEFORE calling the inner detect. The inner check stays in place as belt- and-suspenders. copy_fail itself uses AF_ALG (no userns needed) and bypasses the gate — its inner detect still confirms the primitive empirically via the active probe. modules/copy_fail_family/skeletonkey_modules.c: - #include "../../core/host.h" alongside the existing includes. - new static cff_check_userns(modname, ctx) helper. - copy_fail_gcm_detect_wrap, dirty_frag_esp_detect_wrap, dirty_frag_esp6_detect_wrap, dirty_frag_rxrpc_detect_wrap all call cff_check_userns before delegating. - copy_fail_detect_wrap is intentionally untouched. tests/test_detect.c: 4 new EXPECT_DETECT cases assert that all 4 gated bridge wrappers return PRECOND_FAIL when unprivileged_userns_allowed=false, using the existing h_kernel_5_14_no_userns fingerprint. 29 → 33 tests, all pass on Linux.	2026-05-23 00:02:23 -04:00
leviathan	2b1e96336e	core/host: in_range helper + 13-module migration + 12 more tests (29 total) ... Three coordinated changes that build on the host_kernel_at_least landed in 1571b88: 1. core/host gains skeletonkey_host_kernel_in_range(h, lo..., hi...) — a [lo, hi) bounded-interval check for modules that want the 'vulnerable window' semantics directly. Implemented in terms of host_kernel_at_least (so the comparison logic stays in one place). No module uses it yet; available for new modules that want it. 2. 13 modules migrated off the manual if (v->major < X || (v->major == X && v->minor < Y)) { ... } pattern onto if (!skeletonkey_host_kernel_at_least(ctx->host, X, Y, 0)) { ... } One-line replacements, mechanical, no behavior change. Migrated: af_packet2, dirty_pipe, fuse_legacy, netfilter_xtcompat, nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf, overlayfs, overlayfs_setuid, ptrace_traceme, stackrot, vmwgfx. The repo now has zero manual 'v->major < X' patterns — every predates-check reads the same way. 3. tests/test_detect.c expanded from 17 to 29 cases. Adds: Above-fix coverage on h_kernel_6_12 (10 modules previously untested): af_packet, af_packet2, af_unix_gc, netfilter_xtcompat, nft_set_uaf, nft_fwd_dup, nft_payload, stackrot, sequoia, vmwgfx. Ancient-kernel predates coverage on h_kernel_4_4 (2 more cases): nft_set_uaf (introduced 5.1), stackrot (introduced 6.1). Detect-path test coverage now spans most of the corpus that has a testable host-fingerprint gate. Untested modules from here on are either userspace bugs whose detect() doesn't gate on host fields (pwnkit, sudo_samedit, sudoedit_editor), entrybleed (sysfs-direct, no host gate), or the copy_fail_family bridge (no ctx->host integration yet). Verification: Linux (docker gcc:latest, non-root user): 29/29 pass. macOS (local): 31-module build clean, suite reports 'skipped — Linux-only' as designed.	2026-05-22 23:58:38 -04:00
leviathan	1571b88725	core/host: skeletonkey_host_kernel_at_least + 9 new detect() tests ... core/host helper: - Adds bool skeletonkey_host_kernel_at_least(h, M, m, p) — the canonical 'kernel >= X.Y.Z' check. Replaces the manual 'v->major < X || (v->major == X && v->minor < Y)' pattern that many modules use for their 'predates the bug' pre-check. Returns false when h is NULL or h->kernel.major == 0 (degenerate cases), true otherwise iff the host kernel sorts at or above the supplied version. - dirtydecrypt migrated as the demo: the 'kernel < 7.0 → predates' pre-check now reads 'if (!host_kernel_at_least(ctx->host, 7, 0, 0))'. Other modules still using the manual pattern continue to work unchanged; migrating them is incremental polish. tests/test_detect.c expansion (8 → 17 cases): New fingerprints: - h_kernel_4_4 — ancient (Linux 4.4 LTS); used for 'predates the bug' on dirty_pipe. - h_kernel_6_12 — recent (Linux 6.12 LTS); above every backport threshold in the corpus — modules report OK via the 'patched by mainline inheritance' branch of kernel_range_is_patched. - h_kernel_5_14_no_userns — vulnerable-era kernel (5.14.0, past every relevant predates check while below every backport entry) with unprivileged_userns_allowed deliberately false; lets the userns gate fire after the version check confirms vulnerable. New tests (9): - dirty_pipe + kernel 4.4 → OK (predates 5.8 introduction) - dirty_pipe + kernel 6.12 → OK (above every backport) - dirty_cow + kernel 6.12 → OK (above 4.9 fix) - ptrace_traceme + kernel 6.12 → OK (above 5.1.17 fix) - cgroup_release_agent + kernel 6.12 → OK (above 5.17 fix) - nf_tables + vuln kernel + userns=false → PRECOND_FAIL - fuse_legacy + vuln kernel + userns=false → PRECOND_FAIL - cls_route4 + vuln kernel + userns=false → PRECOND_FAIL - overlayfs_setuid + vuln kernel + userns=false → PRECOND_FAIL Process note: initial 8th and 9th userns tests failed because the chosen test kernel (5.10.0) tripped each module's predates check (nf_tables bug introduced 5.14; overlayfs_setuid 5.11). Switched to 5.14.0, which is past every predates threshold AND below every backport entry in this batch — the version verdict is now genuinely 'vulnerable' and the userns gate fires next. The bug-finding tests caught a real-but-narrow modeling gap in the original picks. Verification: - Linux (docker gcc:latest, non-root user): 17/17 pass. - macOS (local): builds clean, suite reports 'skipped — Linux-only' as designed.	2026-05-22 23:52:10 -04:00
leviathan	36814f272d	modules: migrate remaining 22 modules to ctx->host fingerprint ... Completes the host-fingerprint refactor that started in c00c3b4. Every module now consults the shared ctx->host (populated once at startup by core/host.c) instead of re-doing uname / geteuid / /etc/os-release parsing / fork+unshare(CLONE_NEWUSER) probes per detect(). Migrations applied per module (mechanical, no exploit logic touched): 1. #include "../../core/host.h" inside each module's #ifdef __linux__. 2. kernel_version_current(&v) -> ctx->host->kernel (with the v -> v-> arrow-vs-dot fix for all later usage). Drops ~20 redundant uname() calls across the corpus. 3. geteuid() == 0 (the 'already root, nothing to escalate' gate) -> bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0); This is the key change that lets the unit test suite construct non-root fingerprints regardless of the test process's actual euid. 4. Per-detect fork+unshare(CLONE_NEWUSER) probe helpers (named can_unshare_userns / can_unshare_userns_mount across the corpus) are removed wholesale; their call sites now consult ctx->host->unprivileged_userns_allowed, which was probed once at startup. Removes ~10 per-scan fork()s. Modules touched by this commit (22): Batch A (7): dirty_pipe, dirty_cow, ptrace_traceme, pwnkit, cgroup_release_agent, overlayfs_setuid, and entrybleed (no migration target — KPTI gate stays as direct sysfs read; documented as 'no applicable pattern'). Batch B (7): nf_tables, cls_route4, netfilter_xtcompat, af_packet, af_packet2, af_unix_gc, fuse_legacy. Batch C (8): stackrot, nft_set_uaf, nft_fwd_dup, nft_payload, sudo_samedit, sequoia, sudoedit_editor, vmwgfx. Combined with the 4 modules already migrated (dirtydecrypt, fragnesia, pack2theroot, overlayfs) and the 5-module copy_fail_family bridge, the entire registered corpus now goes through ctx->host. The 4 'fork+unshare per detect()' helpers that existed across nf_tables, cls_route4, netfilter_xtcompat, af_packet, af_packet2, fuse_legacy, nft_set_uaf, nft_fwd_dup, nft_payload, sequoia, cgroup_release_agent, and overlayfs_setuid are now gone — replaced by the single startup probe in core/host.c. Verification: - Linux (docker gcc:latest + libglib2.0-dev): full clean build links 31 modules; tests/test_detect.c: 8/8 pass. - macOS (local): full clean build links 31 modules (Mach-O, 172KB); test suite reports skipped as designed on non-Linux. Subsequent commits can add more EXPECT_DETECT cases in tests/test_detect.c — the host-fingerprint paths in every module are now uniformly testable via synthetic struct skeletonkey_host instances.	2026-05-22 23:43:20 -04:00
leviathan	d05a46c5c6	.gitignore: exclude skeletonkey-test build artifact ... Mirrors the /skeletonkey rule. The test binary slipped into the prior commit; this removes it from tracking. Local binary on disk is kept (it's a build artifact).	2026-05-22 23:32:23 -04:00
leviathan	ea1744e6f0	tests: detect() unit harness with mocked ctx->host ... Adds tests/test_detect.c — a standalone harness that constructs synthetic struct skeletonkey_host fingerprints (vulnerable / patched / specific-gate-closed) and asserts each migrated module's detect() returns the expected verdict. First real test coverage for the corpus; catches regressions in the host-fingerprint-consuming logic. Initial coverage — 8 deterministic cases across the 4 modules that already consume ctx->host: - dirtydecrypt: 3 cases verifying 'kernel < 7.0 -> predates the bug' short-circuit on synthetic 6.12 / 6.14 / 6.8 hosts. - fragnesia: unprivileged_userns_allowed=false -> PRECOND_FAIL. - pack2theroot: is_debian_family=false -> PRECOND_FAIL. - pack2theroot: has_dbus_system=false -> PRECOND_FAIL. - overlayfs: distro=debian / distro=fedora -> 'not Ubuntu' -> OK. Coverage grows automatically as more modules migrate to ctx->host (task #12 below adds them). Each new module that consults the host fingerprint can have its precondition gates tested with a one-line EXPECT_DETECT call against a pre-built fingerprint. Wiring: - Makefile: new MODULE_OBJS var consolidates the module .o list so both the main binary and the test binary can share it without duplication. New TEST_BIN := skeletonkey-test target. 'make test' builds and runs the suite. - .github/workflows/build.yml: install libglib2.0-dev + pkg-config so pack2theroot builds with GLib in CI (was previously stub-compiling). New 'tests — detect() unit suite' step runs 'make test' as a non-root user so modules' 'already root' gates don't short-circuit before the synthetic host checks fire. - Test harness compiles cross-platform but assertions are #ifdef __linux__ guarded (on non-Linux all module detect() bodies stub-out to PRECOND_FAIL, making assertions tautological); macOS dev build reports 'skipped'. Module change: - pack2theroot p2tr_detect now consults ctx->host->is_root (with a geteuid() fallback when ctx->host is null) instead of calling geteuid() directly. Production behaviour is identical (host->is_root is populated from geteuid() at startup); tests can now construct non-root fingerprints regardless of the test process's actual euid. Exposed a real consistency issue worth fixing. Verified in docker as non-root: 8/8 pass on Linux. macOS reports 'skipped' as designed.	2026-05-22 23:32:12 -04:00
leviathan	c00c3b463a	dispatcher: per-detect timeout + exploit() fork-isolation ... Two reliability improvements that make --auto survive any misbehaving module: a 15s timeout on detect() so a hung probe can't stall the scan, and fork-isolation around exploit/mitigate/cleanup so a crashing callback doesn't take down --auto's fallback path. Detect timeout: - New SKELETONKEY_DETECT_TIMEOUT_SECS = 15. - run_detect_isolated() forked child now calls alarm(15); if detect() hangs, SIGALRM kills the child. Parent observes WIFSIGNALED with signal SIGALRM and reports 'detect() timed out (signal 14)' in the verdict table. - cmd_auto distinguishes timeout vs other crash in the scan-summary callout: separate n_timeout counter and dedicated [!] line. Exploit fork-isolation: - New run_callback_isolated() wraps exploit() / mitigate() / cleanup() in a forked child. Two crash-safety properties: * A SIGSEGV/SIGILL in the callback is contained; --auto continues to the next-safest candidate via its existing fallback list. * The dispatcher itself can't be killed by a misbehaving exploit. - Result-code communication is via a one-byte pipe with FD_CLOEXEC on the write end: * Callback returns normally -> child writes result byte, _exit; parent reads it; trusted result. * Callback execve()s a target -> FD_CLOEXEC closes the write end during the exec transition; parent's read() gets EOF; we treat exec-then-exit as EXPLOIT_OK regardless of the shell's exit code (we DID land code execution). * Callback crashes -> WIFSIGNALED true; report the signal and propagate EXPLOIT_FAIL. - cmd_auto: exploit() crash now logged distinctly ('[!] X exploit crashed (signal N) — dispatcher recovered'). Exec-path is surfaced too ('[*] X exploit transferred to spawned target — ...'). - cmd_one: same wrapping, same crash/exec reporting for the --exploit/--mitigate/--cleanup single-module paths. Both platforms build clean. Verified containment behavior on Linux in docker: entrybleed's prefetchnta SIGILL still reports cleanly as 'detect() crashed (signal 4) — continuing' and the scan finishes through all 31 modules to the summary + pick step.	2026-05-22 23:26:09 -04:00
leviathan	4f30d00a1c	core/host: shared host fingerprint refactor ... Adds core/host.{h,c} — a single struct skeletonkey_host populated once at startup and handed to every module callback via ctx->host. Replaces the per-detect uname / /etc/os-release / sysctl / userns-fork-probe calls scattered across the corpus with O(1) cached lookups, and gives the dispatcher one consistent view of the host. What's in the fingerprint: - Identity: kernel_version (parsed from uname.release), arch (machine), nodename, distro_id / distro_version_id / distro_pretty (parsed once from /etc/os-release). - Process state: euid, real_uid (defeats userns illusion via /proc/self/uid_map), egid, username, is_root, is_ssh_session. - Platform family: is_linux, is_debian_family, is_rpm_family, is_arch_family, is_suse_family (file-existence checks once). - Capability gates (Linux): unprivileged_userns_allowed (live fork+unshare probe), apparmor_restrict_userns, unprivileged_bpf_disabled, kpti_enabled, kernel_lockdown_active, selinux_enforcing, yama_ptrace_restricted. - System services: has_systemd, has_dbus_system. Wiring: - core/module.h forward-declares struct skeletonkey_host and adds the pointer to skeletonkey_ctx. Modules opt-in by including ../../core/host.h. - core/host.c is fully POD (no heap pointers) — uses a single file- static instance, returns a stable pointer on every call. Lazily populated on first skeletonkey_host_get(). - skeletonkey.c calls skeletonkey_host_get() at main() entry, stores in ctx.host before any register_*() runs. - cmd_auto's bespoke distro-fingerprint code (was an inline read_os_release helper) is replaced with skeletonkey_host_print_banner(), which emits a two-line banner of identity + capability gates. Migrations: - dirtydecrypt: kernel_version_current() -> ctx->host->kernel. - fragnesia: removed local fg_userns_allowed() fork-probe in favour of ctx->host->unprivileged_userns_allowed (no per-scan fork). Also pulls kernel from ctx->host. The PRECOND_FAIL message now notes whether AppArmor restriction is on. - pack2theroot: access('/etc/debian_version') -> ctx->host->is_debian_family; also short-circuits when ctx->host->has_dbus_system is false (saves the GLib g_bus_get_sync attempt on systems without system D-Bus). - overlayfs: replaced the inline is_ubuntu() /etc/os-release parser with ctx->host->distro_id comparison. Local helper preserved for symmetry / standalone builds. Documentation: docs/ARCHITECTURE.md gains a 'Host fingerprint' section describing the struct, the opt-in include pattern, and example detect() usage. ROADMAP --auto accuracy log notes the landing and flags remaining modules as an incremental follow-up. Build verification: - macOS (local): make clean && make -> Mach-O x86_64, 31 modules, banner prints with distro=?/? (no /etc/os-release). - Linux (docker gcc:latest + libglib2.0-dev): make clean && make -> ELF 64-bit, 31 modules. Banner prints with kernel + distro=debian/13 + 7 capability gates. dirtydecrypt correctly says 'predates the rxgk code added in 7.0'; fragnesia PRECOND_FAILs with '(host fingerprint)' annotation; pack2theroot PRECOND_FAILs on no-DBus; overlayfs reports 'not Ubuntu (distro=debian)'.	2026-05-22 23:18:00 -04:00
leviathan	3e6e0d869b	skeletonkey: add --dry-run flag ... Preview-only mode for --auto / --exploit / --mitigate / --cleanup. Walks the full scan (with active probes, fork isolation, verdict table — everything the real --auto does) and prints what would be launched, without ever calling the exploit/mitigate/cleanup callback. Wiring: - struct skeletonkey_ctx gains a 'dry_run' field (core/module.h). - Long option --dry-run, getopt case 10. - cmd_auto: after picking the safest, if dry_run, print [*] auto: --dry-run: would launch `--exploit <NAME> --i-know`; not firing. plus the remaining ranked candidates, then return 0. - cmd_one (used for --exploit/--mitigate/--cleanup) shorts on dry_run with [*] <module>: --dry-run: would run --<op>; not firing. UX: --auto --dry-run does NOT require --i-know (nothing fires). The refusal message for bare --auto now points to --dry-run for the preview path: [-] --auto requires --i-know (or --dry-run for a preview that never fires). ROADMAP --auto accuracy section updated with the dry-run + the version-pinned detect work from the previous commit. Smoke-tested locally on macOS: scanning runs, verdicts print, the 'would launch' line fires, exit 0.	2026-05-22 23:08:24 -04:00