Return-to-direct-mapped memory (ret2dir): new kernel exploitation technique

MrBrian · Dec 11, 2014

From ret2dir: Rethinking Kernel Isolation (2014 paper):

Abstract:

Return-to-user (ret2usr) attacks redirect corrupted kernel pointers to data residing in user space. In response, several kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and dereferences from kernel to user space. Intel and ARM also recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features. Unfortunately, although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the kernel, conditions of implicit sharing still exist due to fundamental design choices that trade stronger isolation for performance.

In this work, we demonstrate how implicit page frame sharing can be leveraged for the complete circumvention of software and hardware kernel isolation protections. We introduce a new kernel exploitation technique, called return-to-direct-mapped memory (ret2dir), which bypasses all existing ret2usr defenses, namely SMEP, SMAP, PXN, KERNEXEC, UDEREF, and kGuard. We also discuss techniques for constructing reliable ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets. Finally, to defend against ret2dir attacks, we present the design and implementation of an exclusive page frame ownership scheme for the Linux kernel that prevents the implicit sharing of physical memory pages with minimal runtime overhead.
Click to expand...

142395 · Dec 12, 2014

Seems good read, though it's too difficult for me.
Still it gives me some hints about kernel exploit, so the problem is in sharing of virtual memory space.

Log in or Sign up

Return-to-direct-mapped memory (ret2dir): new kernel exploitation technique

MrBrian Registered Member

142395 Guest

Log in or Sign up

Return-to-direct-mapped memory (ret2dir): new kernel exploitation technique

MrBrian Registered Member

142395 Guest

Useful Searches