Page table manipulation attack

Jung Seung Lee, Hyoung Min Ham, In Hwan Kim, Joo Seok Song

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

Original languageEnglish
Title of host publicationCCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1644-1646
Number of pages3
ISBN (Electronic)9781450338325
DOIs
Publication statusPublished - 2015 Oct 12
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: 2015 Oct 122015 Oct 16

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume2015-October
ISSN (Print)1543-7221

Other

Other22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
CountryUnited States
CityDenver
Period15/10/1215/10/16

Fingerprint

Data storage equipment
Costs

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Lee, J. S., Ham, H. M., Kim, I. H., & Song, J. S. (2015). Page table manipulation attack. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1644-1646). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October). Association for Computing Machinery. https://doi.org/10.1145/2810103.2810121
Lee, Jung Seung ; Ham, Hyoung Min ; Kim, In Hwan ; Song, Joo Seok. / Page table manipulation attack. CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2015. pp. 1644-1646 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{0cbf27de230d40c185c25883323c3b26,
title = "Page table manipulation attack",
abstract = "The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).",
author = "Lee, {Jung Seung} and Ham, {Hyoung Min} and Kim, {In Hwan} and Song, {Joo Seok}",
year = "2015",
month = "10",
day = "12",
doi = "10.1145/2810103.2810121",
language = "English",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "1644--1646",
booktitle = "CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security",

}

Lee, JS, Ham, HM, Kim, IH & Song, JS 2015, Page table manipulation attack. in CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 2015-October, Association for Computing Machinery, pp. 1644-1646, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 15/10/12. https://doi.org/10.1145/2810103.2810121

Page table manipulation attack. / Lee, Jung Seung; Ham, Hyoung Min; Kim, In Hwan; Song, Joo Seok.

CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2015. p. 1644-1646 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Page table manipulation attack

AU - Lee, Jung Seung

AU - Ham, Hyoung Min

AU - Kim, In Hwan

AU - Song, Joo Seok

PY - 2015/10/12

Y1 - 2015/10/12

N2 - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

AB - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

UR - http://www.scopus.com/inward/record.url?scp=84954125559&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954125559&partnerID=8YFLogxK

U2 - 10.1145/2810103.2810121

DO - 10.1145/2810103.2810121

M3 - Conference contribution

AN - SCOPUS:84954125559

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1644

EP - 1646

BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -

Lee JS, Ham HM, Kim IH, Song JS. Page table manipulation attack. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2015. p. 1644-1646. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2810103.2810121

Access to Document