Revision as of 18:38, 10 December 2015

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Examples

Mitigations

hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)

Right now, the upstream options available for PAN are:

CPU		Feature Name
ARM	v7 32-bit non-LPAE	CONFIG_CPU_SW_DOMAIN_PAN
	v7 32-bit LPAE	Catalin's series (CONFIG_CPU_TTBR0_PAN)
	v8 32-bit	Catalin's series?
	v8 64-bit	nothing?
	v8.1	hardware PAN
x86	pre-late-Broadwell	nothing
x86	Broadwell+	hardware PAN (SMAP)
powerpc		nothing?
MIPS		nothing?

@@ Line 8: / Line 8: @@
 = Mitigations =
+* hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
+* emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)
-* hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
+Right now, the upstream options available for PAN are:
-* emulate memory segmentation via separate page tables (e.g. PAX_UDEREF)
+{| class="wikitable"
+!colspan="2"|CPU
+! Feature Name
+|-
+|rowspan="5"| ARM
+| v7 32-bit non-LPAE
+| CONFIG_CPU_SW_DOMAIN_PAN
+|-
+| v7 32-bit LPAE
+| [http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series] (CONFIG_CPU_TTBR0_PAN)
+|-
+| v8 32-bit
+| Catalin's series?
+|-
+| v8 64-bit
+|style="color: red;"| nothing?
+|-
+| v8.1
+| hardware PAN
+|-
+|rowspan="2"| x86
+| pre-late-Broadwell
+|style="color: red;"| nothing
+|-
+| Broadwell+
+| hardware PAN (SMAP)
+|-
+|colspan="2"| powerpc
+|style="color: red;"| nothing?
+|-
+|colspan="2"| MIPS
+|style="color: red;"| nothing?
+|}

Difference between revisions of "Exploit Methods/Userspace data usage"

Revision as of 18:38, 10 December 2015

Details

Examples

Mitigations

Navigation menu

Search