SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	b206610a8e	entrybleed: active probe (--active runs reduced sweep + sanity-checks kbase) When --active is set, detect() runs a quick KASLR sweep and verifies the leaked address looks plausible (kernel high half, 2MiB-aligned, nonzero). This catches CPUs / mitigations / build-time changes that neutralize prefetchnta timing in ways the meltdown sysfs node doesn't reflect. Same pattern as dirty_pipe's active probe. Three verdicts now distinguishable for entrybleed: --scan: 'KPTI active → VULNERABLE' (version/config inference) --scan --active + sane kbase: 'ACTIVE PROBE CONFIRMED — leak yields plausible kbase 0x...' --scan --active + implausible kbase: 'leak technique not reliable here' → IAMROOT_TEST_ERROR Verified end-to-end on kctf-mgr: --scan --active reports 'ACTIVE PROBE CONFIRMED — leak yields plausible kbase 0xffffffff8d800000' (matches the full --exploit output).	2026-05-16 20:20:41 -04:00
leviathan	cee368d5a4	Phase 5: --detect-rules export with dedup - core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco} fields. NULL = module doesn't ship a rule for that format. Embedded as C string literals in each module's iamroot_modules.c so the binary is self-contained (no data-dir install needed). - iamroot.c: --detect-rules [--format=<f>] command. Walks module registry, deduplicates by pointer (family-shared rules emit once, siblings get a 'see family rules above' marker), writes to stdout for redirect into /etc/audit/rules.d/ or SIEM ingestion. - Embedded rules for: - copy_fail_family (shared across 5 modules): auditd watches on passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt; Sigma rule covers the file-modification footprint. - dirty_pipe: auditd watches on same files + splice() syscalls; Sigma rule for non-root file modification. - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall trace; reliable detection needs perf-counter EDR). Verified end-to-end on kctf-mgr: iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped) iamroot --detect-rules --format=sigma → 2 / 7 rules emit	2026-05-16 19:58:26 -04:00
leviathan	f03efbff13	Phase 3: EntryBleed module — working stage-1 kbase leak brick - modules/entrybleed_cve_2023_0458/ (promoted out of _stubs): - iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end + prefetchnta + KASLR-slot timing sweep) wired into the standard iamroot_module interface. x86_64 only; ARM/other gracefully return IAMROOT_PRECOND_FAIL. - detect(): reads /sys/.../vulnerabilities/meltdown to decide KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK. - exploit(): sweeps the 16MiB KASLR range, prints leaked kbase (and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout. - entrybleed_leak_kbase_lib(off) declared as a public library helper so future LPE chains needing a stage-1 leak can just #include the module's header and call it. - entry_SYSCALL_64 slot offset overridable via IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x). - __always_inline fallback added since glibc/Linux-kernel macro isn't universal; module now builds clean under macOS clangd lint and on musl. - iamroot.c registers entrybleed alongside the other families; Makefile gains it as a separate object set. Verified end-to-end on kctf-mgr (Debian 6.12.86): iamroot --exploit entrybleed --i-know → [+] entrybleed: leaked kbase = 0xffffffff8d800000 This is the FIRST WORKING-EXPLOIT module in IAMROOT (5 copy_fail_family modules wrap existing code from DIRTYFAIL; dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick that future chains can compose.	2026-05-16 19:55:22 -04:00

Author

SHA1

Message

Date

leviathan

b206610a8e

entrybleed: active probe (--active runs reduced sweep + sanity-checks kbase)

When --active is set, detect() runs a quick KASLR sweep and verifies
the leaked address looks plausible (kernel high half, 2MiB-aligned,
nonzero). This catches CPUs / mitigations / build-time changes that
neutralize prefetchnta timing in ways the meltdown sysfs node doesn't
reflect. Same pattern as dirty_pipe's active probe.

Three verdicts now distinguishable for entrybleed:
  --scan: 'KPTI active → VULNERABLE' (version/config inference)
  --scan --active + sane kbase: 'ACTIVE PROBE CONFIRMED — leak yields
                                  plausible kbase 0x...'
  --scan --active + implausible kbase: 'leak technique not reliable
                                        here' → IAMROOT_TEST_ERROR

Verified end-to-end on kctf-mgr: --scan --active reports
'ACTIVE PROBE CONFIRMED — leak yields plausible kbase
0xffffffff8d800000' (matches the full --exploit output).

2026-05-16 20:20:41 -04:00

leviathan

cee368d5a4

Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit

2026-05-16 19:58:26 -04:00

leviathan

f03efbff13

Phase 3: EntryBleed module — working stage-1 kbase leak brick

- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
    + prefetchnta + KASLR-slot timing sweep) wired into the standard
    iamroot_module interface. x86_64 only; ARM/other gracefully
    return IAMROOT_PRECOND_FAIL.
  - detect(): reads /sys/.../vulnerabilities/meltdown to decide
    KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
  - exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
    (and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
  - entrybleed_leak_kbase_lib(off) declared as a public library
    helper so future LPE chains needing a stage-1 leak can just
    #include the module's header and call it.
  - entry_SYSCALL_64 slot offset overridable via
    IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).

- __always_inline fallback added since glibc/Linux-kernel macro
  isn't universal; module now builds clean under macOS clangd lint
  and on musl.

- iamroot.c registers entrybleed alongside the other families;
  Makefile gains it as a separate object set.

Verified end-to-end on kctf-mgr (Debian 6.12.86):
  iamroot --exploit entrybleed --i-know
  → [+] entrybleed: leaked kbase = 0xffffffff8d800000

This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.

2026-05-16 19:55:22 -04:00

3 Commits