TY - GEN
T1 - Page table manipulation attack
AU - Lee, Jung Seung
AU - Ham, Hyoung Min
AU - Kim, In Hwan
AU - Song, Joo Seok
PY - 2015/10/12
Y1 - 2015/10/12
N2 - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).
AB - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).
UR - http://www.scopus.com/inward/record.url?scp=84954125559&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84954125559&partnerID=8YFLogxK
U2 - 10.1145/2810103.2810121
DO - 10.1145/2810103.2810121
M3 - Conference contribution
AN - SCOPUS:84954125559
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1644
EP - 1646
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Y2 - 12 October 2015 through 16 October 2015
ER -