LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Attacking hardened Linux systems with kernel JIT spraying

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 23:45 UTC (Sun) by yann.morin.1998 (subscriber, #54333)
In reply to: Attacking hardened Linux systems with kernel JIT spraying by patrick_g
Parent article: Attacking hardened Linux systems with kernel JIT spraying

> > PaX's KERNEXEC feature implements in software a policy very similar to SMEP. And indeed, the JIT spray exploit succeeds where a traditional jump-to-userspace fails. (grsecurity has other features that would mitigate this attack, like the ability to lock out users who oops the kernel.)

> Does it mean a PaX hardened kernel is **more** vulnerable than a mainline kernel (with BPF JIT disabled)?

What I understood (not being a native english speaker either, as you know ;-) ) is:

- JIT disabled: no issue, as it's not even possible to attack the JIT, it being disabled
- JIT enabled, with PaX' KERNEXEC: JIT was successfully subverted
- JIT enabled, with SMEP: unknown, but probably similar to PaX' KERNEXEC, as the thechnique is the same

Hop,
Me.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds