Difference between revisions of "Exploit Methods/Userspace data usage"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
Line 24: Line 24:
| CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series])
| CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series])
|-
|-
| v8 32-bit
| v8.0 32-bit
| CONFIG_CPU_TTBR0_PAN
| CONFIG_CPU_TTBR0_PAN
|-
|-
| v8 64-bit
| v8.0 64-bit
|style="color: red;"| nothing
|style="color: red;"| nothing
|-
|-
Line 39: Line 39:
| Broadwell+
| Broadwell+
| hardware PAN (SMAP)
| hardware PAN (SMAP)
|-
|colspan="2"| s/390
| hardware PAN (architectural?)
|-
|-
|colspan="2"| powerpc
|colspan="2"| powerpc

Revision as of 19:15, 10 December 2015

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Examples

Mitigations

  • hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)

Right now, the upstream options available for Privileged Access Never (PAN) are:

CPU Feature Name
ARM v7 32-bit non-LPAE CONFIG_CPU_SW_DOMAIN_PAN
v7 32-bit LPAE CONFIG_CPU_TTBR0_PAN (Catalin's series)
v8.0 32-bit CONFIG_CPU_TTBR0_PAN
v8.0 64-bit nothing
v8.1 hardware PAN
x86 pre-late-Broadwell nothing
Broadwell+ hardware PAN (SMAP)
s/390 hardware PAN (architectural?)
powerpc nothing?
MIPS nothing?