Difference between revisions of "Exploit Methods/Userspace data usage"
Jump to navigation
Jump to search
Line 24: | Line 24: | ||
| CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) | | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) | ||
|- | |- | ||
| v8 32-bit | | v8.0 32-bit | ||
| CONFIG_CPU_TTBR0_PAN | | CONFIG_CPU_TTBR0_PAN | ||
|- | |- | ||
| v8 64-bit | | v8.0 64-bit | ||
|style="color: red;"| nothing | |style="color: red;"| nothing | ||
|- | |- | ||
Line 39: | Line 39: | ||
| Broadwell+ | | Broadwell+ | ||
| hardware PAN (SMAP) | | hardware PAN (SMAP) | ||
|- | |||
|colspan="2"| s/390 | |||
| hardware PAN (architectural?) | |||
|- | |- | ||
|colspan="2"| powerpc | |colspan="2"| powerpc |
Revision as of 19:15, 10 December 2015
Details
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.
Examples
Mitigations
- hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
- emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)
Right now, the upstream options available for Privileged Access Never (PAN) are:
CPU | Feature Name | |
---|---|---|
ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |
v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN (Catalin's series) | |
v8.0 32-bit | CONFIG_CPU_TTBR0_PAN | |
v8.0 64-bit | nothing | |
v8.1 | hardware PAN | |
x86 | pre-late-Broadwell | nothing |
Broadwell+ | hardware PAN (SMAP) | |
s/390 | hardware PAN (architectural?) | |
powerpc | nothing? | |
MIPS | nothing? |