Exploit Methods/Userspace data usage

From Linux Kernel Security Subsystem
Revision as of 23:20, 4 November 2015 by KeesCook (talk | contribs) (Created page with "= Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Examples

Mitigations

  • hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulate memory segmentation via separate page tables (e.g. PAX_UDEREF)