SKELETONKEY/modules/copy_fail_family/NOTICE.md

NOTICE

fcrypt S-box constants and key schedule

src/fcrypt.c contains the four 256-byte S-box tables SBOX0_RAW, SBOX1_RAW, SBOX2_RAW, and SBOX3_RAW, along with the 56-bit key packing and 11-bit-rotation key schedule for the rxkad fcrypt cipher.

These tables and the key schedule are protocol constants of the Andrew File System (AFS) rxkad authentication scheme. They appear verbatim in:

• The Linux kernel's crypto/fcrypt.c (GPL-2.0, Copyright © David Howells / KTH)
• IBM's open-source AFS distribution
• OpenAFS upstream
• Heimdal Kerberos (rxkad implementation)

Cryptographic constants required by a wire protocol are facts about the protocol, not creative expression — using them is what makes interoperability with the Linux kernel possible. We list this here for transparency: while the S-box bytes are identical to the kernel's table, the rest of src/fcrypt.c (table preprocessing, brute-force harness, predicates, splitmix64 search) is independently written DIRTYFAIL code under the project's MIT license.

If you intend to redistribute DIRTYFAIL in a context where strict license compatibility matters, treat src/fcrypt.c as carrying the same license obligations as the kernel crypto/fcrypt.c source for the S-box constants alone.

Reference exploits

The detection and exploit techniques in DIRTYFAIL were studied from:

• Smarttfoxx/copyfail — Copy Fail original C PoC
• rootsecdev/cve_2026_31431 — Copy Fail Python detector + UID-flip exploit
• V4bel/dirtyfrag — Dirty Frag full chain PoC by Hyunwoo Kim (@v4bel)

DIRTYFAIL implementations are independently written in C, organized around a single binary with detection-first defaults, but the protocol mechanics (XFRM SA layout, RxRPC handshake forgery, rxkad checksum formula) are necessarily identical to the upstream PoCs because they target the same kernel interfaces.

Additional techniques from 0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

The following DIRTYFAIL features draw on techniques first published by 0xdeadbeefnetwork:

• src/copyfail_gcm.c — rfc4106(gcm(aes)) AEAD in xfrm-ESP, using AES-GCM keystream brute-force to land a single byte at an arbitrary file offset. Reimplemented in DIRTYFAIL style using AF_ALG instead of OpenSSL EVP, eliminating the libssl-dev runtime dependency.
• src/dirtyfrag_esp6.c — IPv6 dual of xfrm-ESP. cf2 demonstrated the esp6 size-gate workaround (≥48-byte frame); we reproduce that with an 8-byte vmsplice'd pad.
• src/apparmor_bypass.c — the change_onexec(crun) → change_onexec(chrome) → unshare re-exec dance to escape Ubuntu's unprivileged-userns AppArmor restriction. cf2 credits the technique to Brad Spengler (grsecurity); we expose it as a --aa-bypass flag and auto-arm it when a restrictive profile is detected.
• src/backdoor.c — length-matched overwrite of a nologin line in /etc/passwd with dirtyfail::0:0:<pad>:/:/bin/bash. cf2 publishes the shell-script harness (and uses the username sick); DIRTYFAIL ports it into a single C function driving our 1-byte primitive, with the username matched to this project for easy auditing.

See README §11 — Credits for the full list.