* [kernel-hardening] [CSW16] Getting Physical: Extreme Abuse of Intel Based Paging Systems
@ 2016-03-23 12:32 Yves-Alexis Perez
0 siblings, 0 replies; only message in thread
From: Yves-Alexis Perez @ 2016-03-23 12:32 UTC (permalink / raw)
To: kernel-hardening
[-- Attachment #1: Type: text/plain, Size: 920 bytes --]
[wasn't sure whether I should cross-post to oss-sec or not]
In case some people would be interested, Nicolas Economou and Enrique Nissim
gave a presentation last week at CanSecWest about what you can do with a
kernel arbitrary write with current paging situation on Intel hardware, in
Linux and Windows. The slides (and code for Linux) are available at:
https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_
Based_Paging_Systems/
There might be (a lot of) other way to exploit a running kernel with an
arbitrary write, but it's still quite interesting.
The authors give some advice at the end (slide 84 “Linux conclusion”):
- Paging tables shouldn’t be in *fixed addresses*
- It can be abused by LOCAL and REMOTE kernel exploits
- All fixed paging structures should be *read-only*
- Some advice, compile the kernel with Grsec ;-)
Regards,
--
Yves-Alexis
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-03-23 12:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-23 12:32 [kernel-hardening] [CSW16] Getting Physical: Extreme Abuse of Intel Based Paging Systems Yves-Alexis Perez
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).