Difference between revisions of "Exploit Methods/Kernel location"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
 
Line 1: Line 1:
= Details =
= Details =
Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [Bug Classes/Kernel pointer leak|Kernel pointer leaks] for more information.
Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]] for more information.


= Examples =
= Examples =

Latest revision as of 22:55, 4 November 2015

Details

Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See Kernel pointer leaks for more information.

Examples

Mitigations

  • hide symbols and kernel pointers (see Kernel pointer leaks)
  • kernel ASLR
  • runtime randomization of kernel functions
  • executable-but-not-readable memory
  • per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT)