Compile it ⚙️ , Debug it 🔬 , Hack it 😎 it’s the Linux kernel 🐧

7 min readSep 8, 2023

Summary

in this blog, we will see how to download the kernel source, compile it, and prepare for debugging with KGDB/GDB

Description

introduction

When I started analyzing vulnerabilities in the Linux kernel, it was not easy to find smooth easy-to-follow resources where you can go step by step, build the kernel, configure it, and configure the debugging KGDB.

What is KGDB

Kgdb is intended to be used as a source-level debugger for the Linux kernel. It is used along with gdb to debug a Linux kernel. The expectation is that gdb can be used to “break in” to the kernel to inspect memory, and variables and look through call stack information similar to the way an application developer would use gdb to debug an application. It is possible to place breakpoints in kernel code and perform some limited execution stepping.

What is a serial port?

Oracle VM VirtualBox supports the use of virtual serial ports in a virtual machine.

Ever since the original IBM PC, personal computers have been equipped with one or two serial ports, also called COM ports by DOS and Windows. Serial ports were commonly used with modems, and some computer mice used to be connected to serial ports before USB became commonplace.

While serial ports are no longer as common as they used to be, there are still some important uses left for them. For example, serial ports can be used to set up a primitive network over a null-modem cable, in case Ethernet is not available. Also, serial ports are indispensable for system programmers needing to do kernel debugging, since kernel debugging software usually interacts with developers over a serial port. With virtual serial ports, system programmers can do kernel debugging on a virtual machine instead of needing a real computer to connect to.

Why choose Host Pipe port mode?

as explained in Oracle documents

Host Pipe: Configure Oracle VM VirtualBox to connect the virtual serial port to a software pipe on the host. This depends on your host OS, as follows:

On a Windows host, data will be sent and received through a named pipe. The pipe name must be in the format \\.\pipe\name where the name should identify the virtual machine but may be freely chosen.

On a Mac, Linux, or Oracle Solaris host, a local domain socket is used instead. The socket filename must be chosen such that the user running Oracle VM VirtualBox has sufficient privileges to create and write to it. The /tmp directory is often a good candidate.

On Linux, there are various tools that can connect to a local domain socket or create one in server mode. The most flexible tool is socat which is available as part of many distributions.

In this case, you can configure whether Oracle VM VirtualBox should create the named pipe, the local domain socket non-Windows hosts, itself, or whether Oracle VM VirtualBox should assume that the pipe or socket exists already. With the VBoxManage command-line options, this is referred to as server mode or client mode, respectively.

For a direct connection between two virtual machines, corresponding to a null-modem cable, simply configure one VM to create a pipe or socket and another to attach to it.

Build the lab

setups the VMs

I’m using ubuntu-20.04.4-live-server-amd64, I will make two VMs one is the attacker and the other is the target.

The target VM is the one you will be debugging, and the attacker is the VM where you will have GDB running and doing the debugging from it.

NOTE: You will need big storage like 50GB so you can compile the linux kernel.

while you are creating the first VM which is the target machine, you have to configure the serial port.

You have to enable it and change the port mode from “Disconnected” to “Host pipe”, also uncheck “connect to existing pipe/socket” since we don’t have one.

note that vsocietyblog can change to anything you want

save and start the machine.

Install dependencies

First install some dependencies

sudo apt install build-essential libncurses-dev bison flex libssl-dev libelf-dev dwarves -y

Download from here:

You have to download the kernel version, there are multiple resources to download from.
Those are some resources I used before in some of my vulnerabilities analysis articles.

Compile it

Extract the kernel folder

tar -xvzf linux-5.15.39.tar.gz

Let’s start compiling

sudo make -j $(nproc)

-j $(nproc)this means we will be using all the cores we have

Take a walk, grab a coffee ☕, this will take time 😂

sudo make modules_install

sudo make install

sudo update-initramfs -c -k 5.15.39

sudo update-grub

Attacker Machine

After you went through the first part all worked fine

Now, we will set up the attacker machine, basically, all the settings are the same.

I’m also using Ubuntu server 20.04.4.

Now move the vmlinux file from the target to the attacker, you can use scp, HTTP server, or whatever you prefer.

vmlinux has all the symbols we need to debug the kernel.

vmlinux is a statically linked executable file that contains the Linux kernel in one of the object file formats supported by Linux, which includes Executable and Linkable Format (ELF) and Common Object File Format (COFF). The vmlinux file might be required for kernel debugging, symbol table generation or other operations, but must be made bootable before being used as an operating system kernel by adding a multiboot header, bootsector and setup routines.

Boot from the new kernel

Now, you will have to reboot the VM of the target, and once you get to this

Click Shift, you will get the GRUB and choose the kernel.

You will see the target machine waiting for the KGDB

On the Attacker machine run the gdb

sudo gdb ./vmlinux-5.15.39

target remote /dev/ttyS0

Once you run the above commands you get the following message

you will notice that the target machine is paused. Use c command for continue

After that, you will notice that the target machine is continuing to the login prompt.

And you are ready 😎🐧

Error fixing

To fix the Debian certs error

https://stackoverflow.com/questions/67670169/compiling-kernel-gives-error-no-rule-to-make-target-debian-certs-debian-uefi-ce

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source -y
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source* -y

The config file:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

Another config

CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""

if you used this config, it might ask you the following