Exploit Methods/Userspace data usage
Jump to navigation
Jump to search
Details
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.
Examples
Mitigations
- hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
- emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)
Right now, the upstream options available for PAN are:
| CPU | Feature Name | |
|---|---|---|
| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |
| v7 32-bit LPAE | Catalin's series (CONFIG_CPU_TTBR0_PAN) | |
| v8 32-bit | Catalin's series? | |
| v8 64-bit | nothing? | |
| v8.1 | hardware PAN | |
| x86 | pre-late-Broadwell | nothing |
| Broadwell+ | hardware PAN (SMAP) | |
| powerpc | nothing? | |
| MIPS | nothing? | |