112 lines
4.2 KiB
Markdown
112 lines
4.2 KiB
Markdown
# Roadmap
|
|
|
|
What's coming next, in priority order. Dates are aspirational, not
|
|
commitments.
|
|
|
|
## Phase 0 — Bootstrap (DONE as of 2026-05-16)
|
|
|
|
- [x] Repo structure (modules/, core/, docs/, tools/, tests/)
|
|
- [x] Absorbed DIRTYFAIL as the first module
|
|
(`modules/copy_fail_family/`)
|
|
- [x] Top-level README, CVES.md, ROADMAP.md, docs/ARCHITECTURE.md,
|
|
docs/ETHICS.md
|
|
- [x] LICENSE (MIT)
|
|
- [x] Private GitHub repo
|
|
|
|
## Phase 1 — Make the bundling real (next session)
|
|
|
|
- [ ] Top-level `iamroot` dispatcher CLI (`iamroot.c`) — module
|
|
registry, fingerprint, route to module's detect/exploit
|
|
- [ ] Module interface header (`core/module.h`) — standard
|
|
`iamroot_module` struct each module exports
|
|
- [ ] Refactor `modules/copy_fail_family/` internals to expose the
|
|
standard module interface
|
|
- [ ] Extract shared code into `core/`: `apparmor_bypass.c`,
|
|
`exploit_su.c`, `common.c`, `fcrypt.c` (currently duplicated
|
|
under the absorbed DIRTYFAIL tree)
|
|
- [ ] Top-level `Makefile` that builds all modules into one binary
|
|
- [ ] Smoke test: `iamroot --scan --json` on Ubuntu 26.04
|
|
produces sensible output
|
|
|
|
## Phase 2 — Add Dirty Pipe (CVE-2022-0847)
|
|
|
|
Public PoC, well-understood, useful for completeness — IAMROOT
|
|
without Dirty Pipe is incomplete as a "historical bundle." Affects
|
|
kernels ≤5.16.11/≤5.15.25/≤5.10.102 so coverage is older
|
|
deployments (worth bundling — many production boxes still run
|
|
these).
|
|
|
|
- [ ] `modules/dirty_pipe_cve_2022_0847/` — exploit + detect + range
|
|
metadata
|
|
- [ ] Test matrix: Ubuntu 20.04 (vulnerable kernels), Debian 11
|
|
(vulnerable kernels), modern kernels (immune — should detect
|
|
as patched)
|
|
- [ ] Detection rules: auditd splice/pipe write patterns
|
|
|
|
## Phase 3 — Add EntryBleed (CVE-2023-0458) as stage-1 leak brick
|
|
|
|
EntryBleed is **not a standalone LPE**. It's a **kbase leak
|
|
primitive** that other modules can chain. Bundle it because:
|
|
|
|
- Stage-1 of any future "build-your-own LPE" workflow
|
|
- Detection rules for KPTI side-channel attempts are useful for
|
|
defenders
|
|
- Already works empirically on lts-6.12.88 (verified 2026-05-16)
|
|
|
|
- [ ] `modules/entrybleed_cve_2023_0458/` — leak primitive +
|
|
detect-mitigations
|
|
- [ ] Exposed as a library helper: other modules can call
|
|
`entrybleed_leak_kbase()` when they need a kbase
|
|
|
|
## Phase 4 — CI matrix
|
|
|
|
- [ ] Distro+kernel VM matrix in GitHub Actions (Ubuntu 20.04 /
|
|
22.04 / 24.04 / 26.04, Debian 11 / 12 / 13, Alma 8 / 9 / 10,
|
|
Fedora 39 / 40 / 41)
|
|
- [ ] Each module's exploit runs against matched-vulnerable VMs and
|
|
MUST land root; runs against patched VMs and MUST fail at
|
|
detect step
|
|
- [ ] Nightly run; failures open issues automatically
|
|
|
|
## Phase 5 — Detection signature export
|
|
|
|
- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE
|
|
- [ ] `--format=yara` — YARA rules for static detection of exploit
|
|
binaries
|
|
- [ ] `--format=auditd` — auditd `.rules` snippets
|
|
- [ ] `--format=falco` — Falco rule snippets
|
|
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md`
|
|
|
|
## Phase 6 — Mitigation mode
|
|
|
|
- [ ] `iamroot --mitigate` walks the host's vulnerabilities, applies
|
|
temporary sysctl / module-blacklist / LSM workarounds
|
|
- [ ] Per-CVE rollback procedure if the mitigation breaks something
|
|
- [ ] Idempotent: running twice is safe
|
|
|
|
## Phase 7+ — More modules
|
|
|
|
Backfill of historical and recent LPEs as time allows:
|
|
|
|
- [ ] **CVE-2021-3493** — overlayfs nested-userns LPE
|
|
- [ ] **CVE-2021-4034** — Pwnkit (pkexec env handling)
|
|
- [ ] **CVE-2022-2588** — net/sched route4 dead UAF
|
|
- [ ] **CVE-2023-2008** — vmwgfx OOB write
|
|
- [ ] **CVE-2024-1086** — netfilter nf_tables UAF
|
|
- [ ] Fragnesia (if it lands as a CVE)
|
|
- [ ] Anything we ourselves disclose — bundled AFTER upstream patch
|
|
ships (responsible-disclosure-first)
|
|
|
|
## Non-goals
|
|
|
|
- **No 0-day shipment.** Everything in IAMROOT is post-patch.
|
|
- **No automated mass-targeting.** No host-list mode. No automatic
|
|
pivoting.
|
|
- **No persistence beyond `--exploit-backdoor`'s
|
|
`/etc/passwd` overwrite**, which is overt and easily detected by
|
|
any auditd rule we ship ourselves. Persistence-as-evasion is out
|
|
of scope.
|
|
- **No container-runtime escapes** unless they cleanly chain to
|
|
host-root.
|
|
- **No Windows / macOS / non-Linux targets.** Focus is the moat.
|