Exploiting the Linux Kernel

4800€ | 6th to the 9th of October 2025

A 4-day Linux kernel exploitation frenzy! This training guides researchers through the field of Linux kernel exploitation. In a series of practical labs, the training explores the process of exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture. The training is structured as a series of lectures, each followed by one or more hands-on labs. The goal of each lab is to write a Linux kernel exploit following the techniques described during the lecture. The training starts with beginner topics but proceeds into advanced areas as well. The beginner chapters include learning how to escalate privileges and bypass foundational mitigations in x86-64 kernels. The advanced chapters are primarily dedicated to the modern slab (heap) exploitation techniques and include an in-depth analysis of the kernel allocators' internals. The core requirement for this training is the ability to read and write C code. Basic knowledge of the x86-64 architecture and assembly, GDB, and the common binary exploitation techniques would also come in handy. There is no need to know any Linux kernel internals: all required parts are covered during the training.


Objectives of the training

Security-relevant Linux kernel internals and attack surface.

Kernel privilege escalation techniques.

Exploiting stack, global, and slab (heap) vulnerabilities.

Exploiting use-after-free and out-of-bounds vulnerabilities.

KASLR, SMEP, SMAP, and KPTI bypasses.

In-kernel Return-Oriented Programming (ROP).

Data-only kernel exploitation.

Cross-cache and cross-allocator attacks.

The trainer

Who will run this training?

Andrey
Konovalov

xairy.io
@andreyknvl

Andrey Konovalov is a security researcher focusing on the Linux kernel.
Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact. Andrey is a contributor to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector, syzkaller — a production-grade kernel fuzzer, and Arm Memory Tagging Extension (MTE) — an exploit mitigation.
Andrey spoke at security conferences such as OffensiveCon, Android Security Symposium, Linux Security Summit, LinuxCon, and PHDays. Andrey also maintains a collection of Linux kernel security–related materials and a channel on Linux kernel security.
See xairy.io for all Andrey's articles, talks, and projects.

Syllabus

What will we do?

Course agenda

Day 1 — Internals and exploitation basics:
  • Internals and debugging: x86-64 architecture refresher; security-relevant Linux kernel internals and attack surface; types of kernel vulnerabilities; setting up kernel debugging environment with VMware; using GDB to debug kernel and its modules.
  • Escalating privileges: ret2usr, overwriting cred structure, overwriting modprobe_path; arbitrary address execution and arbitrary address read/write primitives.
Day 2 — Mitigation bypasses and slab exploitation basics:
  • Bypassing mitigations: KASLR, SMEP, SMAP, and KPTI internals and bypass techniques; in-kernel Return-Oriented Programming (ROP); information leaks.
  • Exploiting slab corruptions: in-depth SLUB internals; exploiting slab out-of-bounds and use-after-free vulnerabilities; slab-specific mitigations; data-only exploitation.
Day 3 — Modern slab exploitation:
  • Exploiting more slab corruptions: cache merging and accounting; hardened usercopy; elastic objects; msg_msg-based exploitation techniques.
Day 4 — Advanced exploitation:
  • Userfaultfd and FUSE; related exploitation techniques.
  • Cross-cache and cross-allocator attacks; page table–based exploitation techniques.
  • Learning more advanced exploitation techniques; useful references.

Student requirements

  • Working C knowledge.
  • Familiarity with x86-64 architecture and x86-64 assembly.
  • Familiarity with GDB (GNU Debugger).
  • Familiarity with common types of vulnerabilities and exploitation techniques for userspace applications.

No knowledge about Linux kernel internals is required.

Hardware requirements

  • x86-64–based machine.
  • At least 100 GB of free disk space.
  • At least 16 GB of RAM.
  • Ability to plug in an untrusted USB drive (relevant for corporate laptops).

Software requirements

  • Host OS: Linux (recommended) or Windows.
  • VMWare Workstation Player or Pro.
  • 7-Zip.

Provided to students

A USB drive with:

  • Presentation slides.
  • Detailed lab guides with step-by-step instructions.
  • Virtual machine images with tools, exercise binaries, and source code.

Other trainings

What else might interest you?

Read more

Hypervisor development for security analysis

Satoshi Tanda

Read more

AI Agents for Cybersecurity

Richard Johnson

Read more

Azure intrusion for red teamers

Paul Barbé & Matthieu Barjole

Read more

From KVM to Mobile Security Platforms - Attacking Hypervisors

zi & Specter

Read more

iOS for Security Engineers

Quentin Meffre & Etienne Helluy-Lafont

Read more

Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing

Silvio La Porta & Antonio Villani

Read more

Practical Baseband Exploitation

Pedro Ribeiro & Nitay Artenstein

Read more

Software Deobfuscation Techniques

Tim Blazytko

contact@hexacon.fr

Discord

@hexacon_fr

About

The Hexacon team

The committee

Code of conduct

Archives

2022

2023

2024