Introduction to Linux Kernel Security - pwn.college LLC Trainers - DCTLV2026
Name of Training: Introduction to Linux Kernel Security
Trainer(s): pwn.college LLC Trainers
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm
Venue: Las Vegas Convention Center
Cost: $3,500
Short Summary:
A practical, intermediate course on Linux kernel security and exploitation fundamentals. Overwhelming majority of class time is hands-on in an interactive, browser-based environment (no local setup), building real skills that students can keep practicing after the training with continued platform access.
Course Description:
This course teaches the core techniques and workflows behind Linux kernel security and exploitation using a sequence of focused, applied labs. Students analyze common kernel interfaces (`procfs`, character devices, IOCTLs), recognize dangerous patterns (state machines, unchecked copies, function-pointer adjacency), and practice safe, repeatable methods to gain control and escalate privileges inside a controlled environment.
The pwn.college philosophy is simple: mastery comes from doing. We minimize lecture and maximize keyboard time. All labs run in a browser-based, self-contained environment with compilers, editors, and terminals—no local installs required—and access continues after class so students can revisit, review, and refine.
Course Outline:
# Day 1 — Foundations and Controlled Primitives
- **Kernel model & syscall path**
- Memory model and privilege rings at a conceptual level (userspace ↔ kernel transition, syscall path)
- **Environment & debugging workflow**
- Build/launch QEMU + BusyBox environment; attach gdb (remote :1234)
- Load kernel symbols or inspect `/proc/kallsyms`
- Stepping from user → kernel
- **Character devices & `procfs` basics (hands-on)**
- Device file interaction patterns
- Simple state machines
- `printk`/`dmesg` triage and safe observation
- **IOCTL interaction patterns (hands-on)**
- Command codes and argument structs
- `copy_from_user` / `copy_to_user` patterns and common pitfalls
- Handling of pointers passed via ioctl.
- **Privilege & kernel-API payloads**
- Conceptual representation of credentials
- Reasoning about `prepare_kernel_cred(0)` / `commit_creds(...)`
- Why `syscall` from kernel space crashes
- Calling kernel APIs (indirect absolute calls)
- Constructing payloads that return cleanly
# Day 2 — Memory Corruption and Advanced Workflows
- **Function-pointer overwrite **
- Adjacent-field overflows, callback clobbering, redirecting to in-kernel helpers, validating stability.
- **KASLR-aware reasoning & address discovery**
- Techniques for discovering/deriving useful addresses when symbols are randomized.
- **Seccomp escape workflow**
- How `TIF_SECCOMP` lives in `thread_info.flags`, `gs`-based access to `current`, and practical verification of expanded syscall capability.
- **Page-table walking to recover residual data**
- Inspecting page tables to locate and recover residual/"lost" secrets
- virtual→physical mapping concepts and safe inspection patterns
- **Userspace helper coordination & clean exits**
- Designing userspace helpers that interoperate with kernel code under constrained syscall allow-lists
- Ensuring payloads return cleanly so kernel stability is preserved.
Difficulty Level:
Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.
Suggested Prerequisites:
- Comfortable with Linux command line and basic systems programming
- Working knowledge of C, ability to follow simple x86-64 assembly (function calls, stack frames)
- Familiarity with gdb
What Students Should Bring:
- A laptop with a modern web browser (Chrome/Firefox/Safari/Edge)
- Reliable internet access (Wi-Fi or wired)
- That’s it—**no local setup required.**
What the Trainer Will Provide:
- **Browser-based training platform** with all labs, compilers, and tooling pre-installed
- Curated challenge set and stepwise hints (no solution dumps)
- Slides (PDF) and quick reference sheets
- Continued platform access **after the training** for further practice
Trainer(s) Bio:
pwn.college designs and delivers hands-on security education with an emphasis on measurable skill-building. The team builds challenge-driven curricula spanning kernel, binary exploitation, and program analysis, and has authored numerous training labs and CTF challenges used by practitioners and learners worldwide.
Zardus (Yan Shoshitaishvili, PhD) has been part of the DEF CON community since DEF CON 9 (2001) and part of the Shellphish CTF team since DEF CON 17 (2009). He ran DEF CON CTF for four years (2018-2021) with Order of the Overflow, and successfully captained Shellphish through the participation in the DARPA Cyber Grand Challenge, in which they won third place and a spot in history (but not in the Smithsonian). Now he is an Associate Professor of Computer Science at Arizona State University and co-founder of pwn.college, where he has taught tens of thousands of students how to hack.
kanak (Connor Nelson, PhD) is a DEF CON veteran and has been part of the DEF CON CTF community since 2015. He has been a member of the Shellphish CTF team since 2018, and has competed in numerous CTFs around the world. He is the chief architect and co-founder of pwn.college, where he has helped design and deliver education to tens of thousands of students. His research primarily focuses on the intersection between CTF and education, and he has published several papers on the topic.
adamd (Adam Doupé, PhD) is equal parts hacker and educator, seamlessly blending exploits and insights. With deep roots in DEF CON culture, he ran the renowned DEF CON CTF with Order of the Overflow from 2018 to 2021, after competing in several editions with Shellphish. As Director of Arizona State University's Center for Cybersecurity & Trusted Foundations (CTF), he unearths vulnerabilities—including multiple CVEs in Apple's core OS—and transforms complex security topics into digestible, engaging lessons. Winner of the NSF CAREER Award and the ASU Fulton Best Teacher Award, he brings an infectious enthusiasm to cybersecurity education that resonates with both seasoned hackers and new learners alike.
Proficiency Exam Option:
This course has the option for a proficiency certificate add-on. Students who complete 70% or more of the required challenges, including the final exam-specific challenge, will be eligible for a proficiency certificate.
Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.
Registration Terms and Conditions:
Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.
Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.
All trainings are non-refundable after August 5, 2026.
Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.
DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.