Exploit Methods/Userspace data usage

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Mitigations)
(Mitigations)
Line 21: Line 21:
 
|rowspan="3"| ARM
 
|rowspan="3"| ARM
 
| v7 (32-bit)
 
| v7 (32-bit)
| CONFIG_CPU_SW_DOMAIN_PAN
+
| CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3)
 
|-
 
|-
 
| v8.0 (64-bit)
 
| v8.0 (64-bit)
| future: CONFIG_ARM64_SW_TTBR0_PAN ([http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series])
+
| CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series])
 
|-
 
|-
 
| v8.1 (defined since December 2014)
 
| v8.1 (defined since December 2014)

Revision as of 03:54, 15 September 2016

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Note that this is a superset that includes Userspace execution. If we can protect against userspace access, we'll also be protecting against userspace execution.

Examples

Mitigations

  • hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF)

Right now, the upstream options available for Privileged Access Never (PAN) are:

CPU Feature Name
ARM v7 (32-bit) CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3)
v8.0 (64-bit) CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 Catalin's series)
v8.1 (defined since December 2014) hardware PAN (none shipping)
x86 pre-late-Broadwell nothing
Broadwell+ (since October 2014) hardware PAN (SMAP)
s/390 hardware PAN (Address Spaces)
powerpc nothing?
MIPS nothing (could use ASID switching?)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools