Exploit Methods/Userspace data usage
Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.
Note that this is a superset that includes Userspace execution. If we can protect against userspace access, we'll also be protecting against userspace execution.
- hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
- emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF)
Right now, the upstream options available for Privileged Access Never (PAN) are:
|ARM||v7 32-bit non-LPAE||CONFIG_CPU_SW_DOMAIN_PAN|
|v7 32-bit LPAE||future: CONFIG_ARM64_SW_TTBR0_PAN (Catalin's series)|
|v8.0 32-bit||future: CONFIG_ARM64_SW_TTBR0_PAN|
|v8.0 64-bit||future: CONFIG_ARM64_SW_TTBR0_PAN|
|v8.1 (since December 2014)||hardware PAN|
|Broadwell+ (since October 2014)||hardware PAN (SMAP)|
|s/390||hardware PAN (Address Spaces)|
|MIPS||nothing (could use ASID switching?)|