Exploit Methods/Userspace execution
Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there.
For more details, see Userspace access, as that is technically a superset of userspace execution.
- hardware segmentation: SMEP (x86), PXN (arm)
- compiler instrumentation to set high bit on function calls
- emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF)
Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are:
|ARM||ARMv7 32-bit non-LPAE||CONFIG_CPU_SW_DOMAIN_PAN|
|ARMv7 32-bit LPAE (e.g. Cortex-A7, A15+)||hardware PXN|
|Ivy-Bridge+ (since May 2012)||hardware PXN (SMEP)|
|s/390||hardware PXN (Address Spaces)|