Exploit Methods/Function pointer overwrite

From Linux Kernel Security Subsystem
Revision as of 16:11, 14 September 2016 by KeesCook (talk | contribs) (→‎Details)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Details

When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.

Examples

Mitigations

  • make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
  • make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)
Retrieved from "http://kernsec.org/wiki/index.php?title=Exploit_Methods/Function_pointer_overwrite&oldid=3801"