Difference between revisions of "Exploit Methods/Userspace data usage"
(→Examples) |
|||
| Line 8: | Line 8: | ||
= Mitigations = | = Mitigations = | ||
| + | * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) | ||
| + | * emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF) | ||
| − | + | Right now, the upstream options available for PAN are: | |
| − | + | ||
| + | {| class="wikitable" | ||
| + | !colspan="2"|CPU | ||
| + | ! Feature Name | ||
| + | |- | ||
| + | |rowspan="5"| ARM | ||
| + | | v7 32-bit non-LPAE | ||
| + | | CONFIG_CPU_SW_DOMAIN_PAN | ||
| + | |- | ||
| + | | v7 32-bit LPAE | ||
| + | | [http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series] (CONFIG_CPU_TTBR0_PAN) | ||
| + | |- | ||
| + | | v8 32-bit | ||
| + | | Catalin's series? | ||
| + | |- | ||
| + | | v8 64-bit | ||
| + | |style="color: red;"| nothing? | ||
| + | |- | ||
| + | | v8.1 | ||
| + | | hardware PAN | ||
| + | |- | ||
| + | |rowspan="2"| x86 | ||
| + | | pre-late-Broadwell | ||
| + | |style="color: red;"| nothing | ||
| + | |- | ||
| + | | Broadwell+ | ||
| + | | hardware PAN (SMAP) | ||
| + | |- | ||
| + | |colspan="2"| powerpc | ||
| + | |style="color: red;"| nothing? | ||
| + | |- | ||
| + | |colspan="2"| MIPS | ||
| + | |style="color: red;"| nothing? | ||
| + | |} | ||
Revision as of 18:38, 10 December 2015
Details
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.
Examples
Mitigations
- hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
- emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)
Right now, the upstream options available for PAN are:
| CPU | Feature Name | |
|---|---|---|
| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |
| v7 32-bit LPAE | Catalin's series (CONFIG_CPU_TTBR0_PAN) | |
| v8 32-bit | Catalin's series? | |
| v8 64-bit | nothing? | |
| v8.1 | hardware PAN | |
| x86 | pre-late-Broadwell | nothing |
| Broadwell+ | hardware PAN (SMAP) | |
| powerpc | nothing? | |
| MIPS | nothing? | |
