leviathan/SKELETONKEY

Fork 0

Files

T

History

leviathan 66cca39a55

release / build (arm64) (push) Waiting to run

Details

release / build (x86_64) (push) Waiting to run

Details

release / build (x86_64-static / musl) (push) Waiting to run

Details

release / build (arm64-static / musl) (push) Waiting to run

Details

release / release (push) Blocked by required conditions

Details

release v0.9.2: dirtydecrypt verified on mainline 6.19.7 (22 → 28)

Verifies CVE-2026-31635 dirtydecrypt's OK path on a kernel that
predates the bug: 'kernel predates the rxgk RESPONSE-handling code
added in 7.0' — match. Confirms detect() doesn't false-positive on
older 6.x kernels.

Attempted fragnesia (CVE-2026-46300) but mainline 7.0.5 .debs depend
on libssl3t64 / libelf1t64 (t64-transition libs from Ubuntu 24.04+ /
Debian 13+). No Parallels-supported Vagrant box ships those yet —
dpkg --force-depends leaves the kernel package in iHR state with no
/boot/vmlinuz. Marked manual: true with rationale.

Verifier infrastructure: pin-mainline now uses dpkg --force-depends as
a fallback so partial-install state can at least be inspected.

2026-05-24 00:03:35 -04:00

provisioners

release v0.9.1: VM verification sweep 22 → 27

2026-05-23 23:35:02 -04:00

README.md

tools/verify-vm: turnkey Vagrant + Parallels verification scaffolding

2026-05-23 11:19:28 -04:00

setup.sh

tools/verify-vm: turnkey Vagrant + Parallels verification scaffolding

2026-05-23 11:19:28 -04:00

targets.yaml

release v0.9.2: dirtydecrypt verified on mainline 6.19.7 (22 → 28)

2026-05-24 00:03:35 -04:00

Vagrantfile

release v0.9.2: dirtydecrypt verified on mainline 6.19.7 (22 → 28)

2026-05-24 00:03:35 -04:00

verify.sh

release v0.9.1: VM verification sweep 22 → 27

2026-05-23 23:35:02 -04:00

README.md

SKELETONKEY VM verification

Auto-provisions a Parallels Desktop VM with a known-vulnerable kernel, runs skeletonkey --explain <module> --active inside it, and emits a verification record. Closes the loop between "detect() compiles & passes unit tests" and "exploit() actually works on a real vulnerable kernel."

One-time setup

./tools/verify-vm/setup.sh

That installs (if missing): Vagrant via Homebrew, the vagrant-parallels plugin, and pre-downloads ~5 GB of base boxes (Ubuntu 18.04/20.04/22.04

Debian 11/12). Idempotent — re-run any time.

To skip boxes you don't need (save disk):

./tools/verify-vm/setup.sh ubuntu2004 debian11   # only those two

Verify a single module

./tools/verify-vm/verify.sh nf_tables

What that does:

Reads tools/verify-vm/targets.yaml: finds nf_tables → box generic/ubuntu2204 + kernel pin linux-image-5.15.0-43-generic.
vagrant up skk-nf_tables (provisions on first call, resumes on subsequent).
Installs the pinned vulnerable kernel via apt, reboots.
Mounts the local repo at /vagrant, runs make, then runs skeletonkey --explain nf_tables --active.
Parses the VERDICT: line, compares against expect_detect from targets.yaml, emits a JSON verification record on stdout.
Suspends the VM (vagrant suspend) — instant resume next run.

Lifecycle flags:

./tools/verify-vm/verify.sh nf_tables --keep      # leave VM running; ssh in to inspect
./tools/verify-vm/verify.sh nf_tables --destroy   # full teardown after run

List every target

./tools/verify-vm/verify.sh --list

Shows the (module, box, target kernel, expected verdict, notes) matrix for all 26 modules. Three are flagged manual: true because no public Vagrant box covers them:

vmwgfx — only reachable on VMware guests; needs a vSphere/Fusion VM not Parallels.
dirtydecrypt, fragnesia — only present in Linux 7.0+ which isn't shipping as a distro kernel yet.

For those, verification needs a hand-built or special-distro VM.

Verification records

verify.sh emits JSON on stdout after each run. Example:

{
  "module":        "nf_tables",
  "verified_at":   "2026-05-23T17:42:11Z",
  "host_kernel":   "5.15.0-43-generic",
  "host_distro":   "Ubuntu 22.04.5 LTS",
  "vm_box":        "generic/ubuntu2204",
  "expect_detect": "VULNERABLE",
  "actual_detect": "VULNERABLE",
  "status":        "match",
  "log":           "tools/verify-vm/logs/verify-nf_tables-20260523-174211.log"
}

status: match means detect() returned what we expected on a known- vulnerable kernel. Anything else (MISMATCH, status code != 0) means either:

The kernel pin didn't take (check host_kernel against kernel_version in targets.yaml).
The exploit's preconditions aren't met in the default Vagrant image (e.g. apparmor blocks unprivileged userns; need to adjust the Vagrantfile provisioner).
The detect() logic is wrong for this kernel/distro combo (a real bug — fix it).

Records are intended to feed a per-module verified_on[] table (next project step) so --list can show a ✓ verified <date> column.

How it routes module → box

Mapping lives in tools/verify-vm/targets.yaml. Each entry has:

box — which boxes/ template (e.g. ubuntu2204)
kernel_pkg — apt package name to install if the stock kernel is patched (omit / empty if stock is already vulnerable)
kernel_version — what uname -r should report after install
expect_detect — VULNERABLE | OK | PRECOND_FAIL
notes — short rationale; comments in the file have the full context

Adding a new module is one block in targets.yaml. The verifier picks it up automatically.

Files

tools/verify-vm/
├── README.md       this file
├── setup.sh        one-time bootstrap (Vagrant, plugin, box cache)
├── verify.sh       per-module verifier
├── Vagrantfile     parameterized VM config (driven by SKK_VM_* env vars)
├── targets.yaml    module → box mapping with rationale
└── logs/           per-verification stdout/stderr capture

Why Vagrant + Parallels

You already have Parallels Desktop. vagrant-parallels gives a scriptable per-VM config + a curated public box library + idempotent vagrant up/provision/reload/suspend lifecycle. The Vagrantfile is parameterized via env vars so a single file drives every target.

Alternative providers (Lima, Multipass) would also work; Vagrant was chosen for ergonomic continuity with the existing Parallels install.