KernelSnitch + Cross-Cache Reuse Lab Workspace

April 10, 2026 · View on GitHub

This repository contains a local kernel exploitation lab setup with two execution environments:

Buildroot VM (vm-start.sh)
kernelCTF-style VM (kernelctf-start.sh)

It also includes exploit PoCs, a loadable kernel module, and helper scripts to prepare matching kernels for VM and native runs.

Repository Layout

exploits/ user-space proof-of-concept exploits and helper binaries - see exploits/README.md
module/ loadable kernel module (lkm.ko) - see module/README.md
buildroot-env/ Buildroot image build inputs/scripts - see buildroot-env/README.md
linux-env/ local Linux source download + prepare script - see linux-env/README.md
kernelctf-env/ kernelCTF download/prepare/rootfs patch scripts - see kernelctf-env/README.md
vmshare/ host-shared directory mounted inside guests

Common Workflows

1) Buildroot VM workflow

Prepare local VM assets:

make prepare-vm

Build exploits + module and start VM:

make run-vm

2) kernelCTF VM workflow

Download releases, prepare per-release kernel trees, and patch rootfs:

make prepare-kernelctf

Build exploits + module for a selected profile and start kernelCTF VM:

make MODULE_PROFILE_KERNELCTF=kernelctf-6.12 run-kernelctf

Supported kernelCTF profiles are defined in kernelctf-env/releases.map.

Native Execution Profiles

Use this when running directly on host/device kernels (not in the VM images).

Target	Kernel family	Exploit binary	Module profile
Ubuntu	6.5.0-14-generic	`*.x86.elf`	`ubuntu-old`
Ubuntu	6.8.0-101-generic	`*.x86.elf`	`ubuntu`
Fedora	6.18.13-200.fc43.x86_64	`*.x86.elf`	`fedora`
Raspberry Pi	6.12.47+rpt-rpi-v8	`*.arm.elf`	`rasp`
Android	6.1.145-android14	`*.arm.elf`	no dedicated native profile (see note below)

Android note:

Exploit binaries are supported (make -C exploits arm + adb push).
A native Android module profile is not defined in module/Makefile, but can be directly be used.

Native Build Commands

Exploits:

make -C exploits x86
make -C exploits arm

Module examples:

make -C module PROFILE=ubuntu-old all      # Ubuntu 6.5
make -C module PROFILE=ubuntu all          # Ubuntu 6.8
make -C module PROFILE=fedora all          # Fedora 6.18
make -C module PROFILE=rasp all            # Raspberry 6.12

Insert/remove module on native Linux systems with module support:

make -C module insert
make -C module remove

Build-only Targets

make build-exploits
make build-module
make build-module-vm
make build-module-kernelctf MODULE_PROFILE_KERNELCTF=kernelctf-6.12

Requirements

make, gcc, git, curl, awk
qemu-system-x86_64 (for VM runs)
aarch64-linux-gnu-gcc (optional, for ARM exploit builds)
debugfs + fdisk (for kernelctf-env/patch-rootfs.sh)
kernel headers/source for module builds
adb (optional, for Android/ARM deploy via make -C exploits push)

Demos

Fedora v6.18 - Successful msg_msg reclaim:

run-fedora.webm

KernelCTF v6.12 - Successful msg_msg reclaim:

run-kernelctf.webm

KernelCTF v6.12 - Successful pipe_buffer reclaim:

run-kernelctf-pipe.webm

Android untrusted_app - Successful pipe_buffer reclaim. Here, the second terminal is for validation the leaked pipe_buffer address, showing the correct slab kmalloc-cg-1k owner:

run-app.webm