User: Password:
|
|
Subscribe / Log in / New account

Attacking hardened Linux systems with kernel JIT spraying

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 20:41 UTC (Sun) by dilinger (subscriber, #2867)
Parent article: Attacking hardened Linux systems with kernel JIT spraying

The end of the post has relevant information, for those concerned about the practicality of such an attack (and not so much the details):

"I'll admit that this is mostly a curiosity, for two reasons:

SMEP is not widely deployed yet.
The BPF JIT is disabled by default, and distributions don't enable it.
Unless Intel abandons SMEP in subsequent processors, it will be widespread within a few years. It's less clear that the BPF JIT will ever catch on as a default configuration. But I'll note in passing that Linux is now using BPF programs for process sandboxing as well."

Also:

"I don't have a CPU with SMEP, but I did try a grsecurity / PaX hardened kernel. PaX's KERNEXEC feature implements3 in software a policy very similar to SMEP. And indeed, the JIT spray exploit succeeds where a traditional jump-to-userspace fails. (grsecurity has other features that would mitigate this attack, like the ability to lock out users who oops the kernel.)"


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds