Exploit Methods/Function pointer overwrite

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Created page with "= Details = When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel r...")
 
(Mitigations)
 
(2 intermediate revisions by one user not shown)
Line 1: Line 1:
 
= Details =
 
= Details =
When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.
+
When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.
  
 
= Examples =
 
= Examples =
Line 9: Line 9:
 
= Mitigations =
 
= Mitigations =
  
* make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
+
* mark function pointer tables "const" when they can be statically assigned, making them read-only for the entire kernel runtime.
* make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)
+
* use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime.
 +
* make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN).
 +
* make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC).

Latest revision as of 16:17, 14 September 2016

[edit] Details

When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.

[edit] Examples

[edit] Mitigations

  • mark function pointer tables "const" when they can be statically assigned, making them read-only for the entire kernel runtime.
  • use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime.
  • make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN).
  • make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC).
Personal tools
Namespaces

Variants
Actions
Navigation
Tools