Exploit Methods/Userspace data usage

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Examples)
Line 8: Line 8:
  
 
= Mitigations =
 
= Mitigations =
 
 
* hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
 
* hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
* emulate memory segmentation via separate page tables (e.g. PAX_UDEREF)
+
* emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)
 +
 
 +
Right now, the upstream options available for PAN are:
 +
 
 +
{| class="wikitable"
 +
!colspan="2"|CPU
 +
! Feature Name
 +
|-
 +
|rowspan="5"| ARM
 +
| v7 32-bit non-LPAE
 +
| CONFIG_CPU_SW_DOMAIN_PAN
 +
|-
 +
| v7 32-bit LPAE
 +
| [http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series] (CONFIG_CPU_TTBR0_PAN)
 +
|-
 +
| v8 32-bit
 +
| Catalin's series?
 +
|-
 +
| v8 64-bit
 +
|style="color: red;"| nothing?
 +
|-
 +
| v8.1
 +
| hardware PAN
 +
|-
 +
|rowspan="2"| x86
 +
| pre-late-Broadwell
 +
|style="color: red;"| nothing
 +
|-
 +
| Broadwell+
 +
| hardware PAN (SMAP)
 +
|-
 +
|colspan="2"| powerpc
 +
|style="color: red;"| nothing?
 +
|-
 +
|colspan="2"| MIPS
 +
|style="color: red;"| nothing?
 +
|}

Revision as of 18:38, 10 December 2015

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Examples

Mitigations

  • hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF)

Right now, the upstream options available for PAN are:

CPU Feature Name
ARM v7 32-bit non-LPAE CONFIG_CPU_SW_DOMAIN_PAN
v7 32-bit LPAE Catalin's series (CONFIG_CPU_TTBR0_PAN)
v8 32-bit Catalin's series?
v8 64-bit nothing?
v8.1 hardware PAN
x86 pre-late-Broadwell nothing
Broadwell+ hardware PAN (SMAP)
powerpc nothing?
MIPS nothing?
Personal tools
Namespaces

Variants
Actions
Navigation
Tools