This is a crazy nested challenge: we firstly need to use side channel attack to leak admin_key.txt; then we need to exploit ss_agent to get the ability to open and operate on /dev/ss; then we need to exploit ss.ko to get the root shell; finally we need to exploit qemu to get the flag outside.

Original writeup (https://mem2019.github.io/jekyll/update/2021/07/06/TCTF2021-Secure-Storage.html).