Exploit Methods/Function pointer overwrite

From Linux Kernel Security Subsystem

Revision as of 16:11, 14 September 2016 by KeesCook (talk | contribs) (→‎Details)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Details

When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.

Examples

Mitigations

make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)

Retrieved from "http://kernsec.org/wiki/index.php?title=Exploit_Methods/Function_pointer_overwrite&oldid=3801"