Difference between revisions of "Exploit Methods/Userspace execution"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
Line 19: Line 19:
|-
|-
|rowspan="3"| ARM
|rowspan="3"| ARM
| ARMv7 32-bit non-LPAE
| v7 (32-bit) non-LPAE
| CONFIG_CPU_SW_DOMAIN_PAN
| CONFIG_CPU_SW_DOMAIN_PAN
|-
|-
| ARMv7 32-bit LPAE (e.g. Cortex-A7, A15+)
| v7 (32-bit) LPAE (e.g. Cortex-A7, A15+)
| hardware PXN
| hardware PXN
|-
|-
| ARMv8.0+
| v8.0+ (64-bit)
| hardware PXN
| hardware PXN
|-
|-

Revision as of 03:49, 15 September 2016

Details

Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".)

For more details, see Userspace access, as that is technically a superset of userspace execution.

Examples

Mitigations

  • hardware segmentation: SMEP (x86), PXN (arm)
  • compiler instrumentation to set high bit on function calls
  • emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF)

Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are:

CPU Feature Name
ARM v7 (32-bit) non-LPAE CONFIG_CPU_SW_DOMAIN_PAN
v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) hardware PXN
v8.0+ (64-bit) hardware PXN
x86 pre-Ivy-Bridge nothing
Ivy-Bridge+ (since May 2012) hardware PXN (SMEP)
s/390 hardware PXN (Address Spaces)
powerpc nothing?
MIPS nothing (could use ASID switching?)