Difference between revisions of "Exploit Methods/Function pointer overwrite"
Jump to navigation
Jump to search
(Created page with "= Details = When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel r...") |
(No difference)
|
Revision as of 23:10, 4 November 2015
Details
When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.
Examples
Mitigations
- make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
- make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)