Exploit Methods/Userspace data usage
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Details
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.
Note that this is a superset that includes Userspace execution. If we can protect against userspace access, we'll also be protecting against userspace execution.
Examples
Mitigations
- hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
- emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF)
Right now, the upstream options available for Privileged Access Never (PAN) are:
CPU | Feature Name | |
---|---|---|
ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |
v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN (Catalin's series) | |
v8.0 32-bit | CONFIG_CPU_TTBR0_PAN | |
v8.0 64-bit | nothing | |
v8.1 | hardware PAN | |
x86 | pre-late-Broadwell | nothing |
Broadwell+ | hardware PAN (SMAP) | |
s/390 | hardware PAN (architectural?) | |
powerpc | nothing? | |
MIPS | nothing? |