Exploit Methods/Reused code chunks

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Created page with "= Details = This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executabl...")
 
(Mitigations)
 
(2 intermediate revisions by one user not shown)
Line 3: Line 3:
  
 
= Examples =
 
= Examples =
* [http://vulnfactory.org/research/h2hc-remote.pdf remote execution]
+
* [https://github.com/djrbliss/rose-exploit remote execution] ([http://vulnfactory.org/research/h2hc-remote.pdf slides])
 +
* [https://github.com/01org/jit-spray-poc-for-ksp JIT spraying]
  
 
= Mitigations =
 
= Mitigations =
 
* compiler instrumentation for Control Flow Integrity (CFI)
 
* compiler instrumentation for Control Flow Integrity (CFI)
 
* Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP])
 
* Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP])
 +
* Constant blinding (to defeat JIT sprays)

Latest revision as of 22:10, 4 May 2016

[edit] Details

This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit.

[edit] Examples

[edit] Mitigations

  • compiler instrumentation for Control Flow Integrity (CFI)
  • Return Address Protection, Indirect Control Transfer Protection (e.g. RAP)
  • Constant blinding (to defeat JIT sprays)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools