Exploit Methods/Function pointer overwrite

From Linux Kernel Security Subsystem
Revision as of 23:10, 4 November 2015 by KeesCook (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Details

When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.

Examples

Mitigations

  • make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
  • make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools