Difference between revisions of "Exploit Methods/Userspace data usage"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
(update PAN for powerpc)
m (ppc PAN merged in 5.2)
Line 41: Line 41:
|rowspan="2"| powerpc
|rowspan="2"| powerpc
| radix MMU (since POWER9)
| radix MMU (since POWER9)
| hardware PAN (KUAP, [https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=890274c2dc4c0a57ae5a12d6a76fa6d05b599d98 likely since Linux v5.2])
| hardware PAN (KUAP, since Linux 5.2)
|-
|-
| hash MMU (since POWER7)
| hash MMU (since POWER7)

Revision as of 04:55, 13 May 2019

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Note that under some emulation situations, this can be a superset that includes Userspace execution. (If we can protect against userspace access, we'll also be protecting against userspace execution.) Hardware protections tend to be separate, though, due to different memory paths for instruction fetch (execution) and data access (read/write).

Examples

Mitigations

  • hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF)

Right now, the upstream options available for Privileged Access Never (PAN) are:

CPU Feature Name
ARM v7 (32-bit) CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3)
v8.0 (64-bit) CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 Catalin's series)
v8.1 (defined since December 2014) hardware PAN (none shipping)
x86 pre-late-Broadwell nothing (could use PCID?)
Broadwell+ (since October 2014) hardware PAN (SMAP)
s/390 hardware PAN (Address Spaces)
powerpc radix MMU (since POWER9) hardware PAN (KUAP, since Linux 5.2)
hash MMU (since POWER7) nothing yet, but implementation possible
MIPS nothing (could use ASID switching?)