[kernel-hardening] [CSW16] Getting Physical: Extreme Abuse of Intel Based Paging Systems

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yves-Alexis Perez <corsac@debian.org>
To: kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] [CSW16] Getting Physical: Extreme Abuse of Intel Based Paging Systems
Date: Wed, 23 Mar 2016 13:32:07 +0100	[thread overview]
Message-ID: <1458736327.5889.19.camel@debian.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

[wasn't sure whether I should cross-post to oss-sec or not]

In case some people would be interested, Nicolas Economou and Enrique Nissim
gave a presentation last week at CanSecWest about what you can do with a
kernel arbitrary write with current paging situation on Intel hardware, in
Linux and Windows. The slides (and code for Linux) are available at:

https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_
Based_Paging_Systems/

There might be (a lot of) other way to exploit a running kernel with an
arbitrary write, but it's still quite interesting.

The authors give some advice at the end (slide 84 “Linux conclusion”):

- Paging tables shouldn’t be in *fixed addresses*
  - It can be abused by LOCAL and REMOTE kernel exploits
- All fixed paging structures should be *read-only*
- Some advice, compile the kernel with Grsec ;-)

Regards,
-- 
Yves-Alexis

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

                 reply	other threads:[~2016-03-23 12:32 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1458736327.5889.19.camel@debian.org \
    --to=corsac@debian.org \
    --cc=kernel-hardening@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.