Difference between revisions of "Exploit Methods/Function pointer overwrite"
Jump to navigation
Jump to search
(Created page with "= Details = When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel r...") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Details = | = Details = | ||
When an attacker has a write primitive, they can | When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables. | ||
= Examples = | = Examples = | ||
Line 9: | Line 9: | ||
= Mitigations = | = Mitigations = | ||
* make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN) | * mark function pointer tables "const" when they can be statically assigned, making them read-only for the entire kernel runtime. | ||
* make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC) | * use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime. | ||
* make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN). | |||
* make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC). |
Latest revision as of 16:17, 14 September 2016
Details
When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.
Examples
Mitigations
- mark function pointer tables "const" when they can be statically assigned, making them read-only for the entire kernel runtime.
- use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime.
- make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN).
- make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC).