KernelGP: Racing Against the Android Kernel
Chariton Karamitas
OffensiveCon 2025 · Day 2 · Main
Chariton Karamitas of Census Labs presents four novel techniques for forcing the Android kernel to delay execution, enabling attackers to win race conditions without relying on `userfaultfd` — which is either disabled or unreliable on Android. Three techniques exploit Android's scoped storage and proxy file descriptor mechanisms (both built on FUSE) from the untrusted app SELinux domain; a fourth exploits the Incremental File System from the system app domain. Because these techniques are grounded in core Android architectural design decisions, they are difficult to mitigate without breaking platform functionality. ---
AI review
KernelGP fills a real gap: Android race-condition exploitation has been missing a stable userfaultfd replacement since vendors started restricting it, and Karamitas delivers not one but four techniques grounded in Android's own framework architecture. The proxy file descriptor cross-process blocking primitive and the IncFS demand-load equivalence to userfaultfd are both immediately usable by anyone with an Android race-condition bug in hand. Architectural unmitigability is the selling point and it is well-argued.