Difference between revisions of "Exploit Methods/Userspace data usage"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
Line 2: Line 2:
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.  
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.  


Note that this is a superset that includes [Exploit Methods/Userspace execution|Userspace execution]. If we can protect against userspace access, we'll also be protecting against userspace execution.
Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution.


= Examples =
= Examples =

Revision as of 19:20, 10 December 2015

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Note that this is a superset that includes Userspace execution. If we can protect against userspace access, we'll also be protecting against userspace execution.

Examples

Mitigations

  • hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulate memory segmentation via separate page tables, PCID, etc (e.g. PAX_MEMORY_UDEREF)

Right now, the upstream options available for Privileged Access Never (PAN) are:

CPU Feature Name
ARM v7 32-bit non-LPAE CONFIG_CPU_SW_DOMAIN_PAN
v7 32-bit LPAE CONFIG_CPU_TTBR0_PAN (Catalin's series)
v8.0 32-bit CONFIG_CPU_TTBR0_PAN
v8.0 64-bit nothing
v8.1 hardware PAN
x86 pre-late-Broadwell nothing
Broadwell+ hardware PAN (SMAP)
s/390 hardware PAN (architectural?)
powerpc nothing?
MIPS nothing?