Thursday, September 15, 2016

Notes about ret2dir & PaX/Grsecurity

A paper "ret2dir: Rethinking Kernel Isolation" was released two years ago. It claimed that ret2dir can bypass modern mitigations including KERNEXEC/UDEREF/SMEP/SMAP/PXN. The author proposed a defensive solution is called eXclusive Page Frame Ownership (XPFO) in the paper. But it was not merge into the vanilla kernel back then. Some guys are trying to merge it again lately.

ret2dir might be a dramatic exploit technique can be useful to bypass mitigations. But it's not that "perfect" when it comes to PaX/Grsecurity. KERNEXEC does much more things than SMEP/PXN simply does not allow kernel code execution from userspace. I'd like to share a few things( truth?):

1, Even under kernel <= 3.9, the kernel patched with PaX/Grsecurity can prevent ret2dir attack without enabling any features. ret2dir only works if a few highly situational conditions satisfied. More detail? Plz ask those who did the tricks;-)

2, The fully ret2dir attack is based on PFN's information. The paper reveals two approaches to get the information:

1) simply read the info from /proc
2) physmap spraying

Unfortunately, all exploits we've found( public exploits & unpacked from malwares) are using the 1st approach in past 18 months. The evidence revealed that all other ret2dir exploits are copycats of these two ret2dir exploit examples( exploit writers aren't work hard?):

IMOHO, ROP is the only option left for ret2dir attack. Otherwise, creating a ROP chains is not that easy on PaX/Grsecurity kernel even without RAP, isn't it?

4 comments:

Ajay yadav said...


Great post keep up the good work. Thank for share amazing blog..


Best distance mba in india

luckys said...

afdah

Situs Judi Online Terpercaya said...

Yuk Gabung di NAGAQQ: AGEN BANDARQ BANDARQ ONLINE ADUQ ONLINE DOMINOQQ TERBAIK

Yang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua

Bonus yang diberikan NagaQQ :
* Bonus rollingan 0.5%,setiap senin di bagikannya
* Bonus Refferal 10% + 10%,seumur hidup
* Bonus Jackpot, yang dapat anda dapatkan dengan mudah
* Minimal Depo 15.000
* Minimal WD 20.000

Memegang Gelar atau title sebagai Agen BandarQ Terbaik di masanya

Games Yang di Hadirkan NagaQQ :
* Poker Online
* BandarQ
* Domino99
* Bandar Poker
* Bandar66
* Sakong
* Capsa Susun
* AduQ
* Perang Bacarrat (New Game)

Tersedia Deposit Via pulsa :
Telkomsel & XL

Info Lebih lanjut Kunjungi :
Website : NagaQQ
Facebook : NagaQQ Official
Kontakk : Info NagaQQ
linktree : Agen Judi Online
WHATSAPP 1 : +855977509035
Line : Cs_nagaQQ
TELEGRAM : +855967014811


BACA JUGA BLOGSPORT KAMI YANG LAIN:
agen bandarq terbaik
Winner NagaQQ
Daftar NagaQQ
Agen Poker Online

stevanie said...

sdomino99.org Merupakan Salah Satu Situs yang terpercaya Di Indonesia
dominowin99 Memiliki Permainan Yang Mudah Dimainkan & 100% Mudah Menang Lohh..
Cukup Dengan 1 USER ID Anda Bisa Bermain 9 GAME Berkualitas :
* Poker
* Domino99
* AduQ
* Capsa Susun
* Sakong
* Bandar Poker
* BANDARQ ONLINE
* BANDAR66 ONLINE
+++++++++++++++++++++++++++++++
AKSES LINK ALTERNATIF TERBARU :
- sdomino99.com
- sdomino99net
- sdomino99.org
- sdomino99.info

< Contact Us >
Info Lebih Lanjut Hubungi :
W.A : +6285974599065


Sahabatdomino : Situs QQ Online, Agen Domino99 dan BandarQ Online Terbesar Di Asia