1 / 8

Secure Operating Systems

Secure Operating Systems. Lesson 0x12h : Return to User. Where are we?. Done! Yay! Code Complete! But there’s always more  So, let’s look at a new trend in OS exploitation: ret2usr. Exploiting the Kernel. When we exploit the kernel, it can be hard to actually gain control

signe-chaney
Download Presentation

Secure Operating Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Operating Systems Lesson 0x12h: Return to User

  2. Where are we? • Done! Yay! Code Complete! • But there’s always more  • So, let’s look at a new trend in OS exploitation: ret2usr

  3. Exploiting the Kernel • When we exploit the kernel, it can be hard to actually gain control • In particular, NULL pointer dereference has often been thought of as unexploitable… • Fortunately (?) that’s not true: return to user!!!

  4. Underlying Vuln • Think about memory layout for a little bit… • Right… the kernel can still write to user space (any part of user space) • This means that ‘nuisance’ attacks like NULL pointer dereference can be deadly in Kernel space (i.e. deadly == not just a DoS attack)

  5. What happens… • Imagine we can get a struct inside the kernel to be dereferenced, and this struct contains a function pointer which the kernel will use… • Boom! The pointer is now in memory which is valid in user mode (somewhere around –x000000nn, typically) • Aside: this is really confused deputy all over again

  6. Example Exploit • Let’s look at the step-by-step vuln in the paper… • Discussion: turtles all the way down?

  7. SMEP • Supervisor Mode Execution Prevention • Prevent code execution of user-mode code page in CPL=0 • Note: does not prevent modification (read and write) • Does not raise a #GP but a #PF • Can use kernel mode ROP to avoid this…

  8. Questions & Comments • What do you want to know?

More Related