Page table manipulation attack

Jung Seung Lee; Hyoung Min Ham; In Hwan Kim; Joo Seok Song

doi:10.1145/2810103.2810121

Page table manipulation attack

Jung Seung Lee, Hyoung Min Ham, In Hwan Kim, Joo Seok Song

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

Original language	English
Title of host publication	CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1644-1646
Number of pages	3
Volume	2015-October
ISBN (Electronic)	9781450338325
DOIs	https://doi.org/10.1145/2810103.2810121
Publication status	Published - 2015 Oct 12
Event	22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States Duration: 2015 Oct 12 → 2015 Oct 16

Other

Other	22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Country	United States
City	Denver
Period	15/10/12 → 15/10/16

Fingerprint

Data storage equipment

Costs

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications

Cite this

Lee, J. S., Ham, H. M., Kim, I. H., & Song, J. S. (2015). Page table manipulation attack. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Vol. 2015-October, pp. 1644-1646). Association for Computing Machinery. https://doi.org/10.1145/2810103.2810121

Lee, Jung Seung ; Ham, Hyoung Min ; Kim, In Hwan ; Song, Joo Seok. / Page table manipulation attack. CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Vol. 2015-October Association for Computing Machinery, 2015. pp. 1644-1646

@inproceedings{0cbf27de230d40c185c25883323c3b26,

title = "Page table manipulation attack",

abstract = "The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).",

author = "Lee, {Jung Seung} and Ham, {Hyoung Min} and Kim, {In Hwan} and Song, {Joo Seok}",

year = "2015",

month = "10",

day = "12",

doi = "10.1145/2810103.2810121",

language = "English",

volume = "2015-October",

pages = "1644--1646",

booktitle = "CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

}

Lee, JS, Ham, HM, Kim, IH & Song, JS 2015, Page table manipulation attack. in CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. vol. 2015-October, Association for Computing Machinery, pp. 1644-1646, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 15/10/12. https://doi.org/10.1145/2810103.2810121

Page table manipulation attack. / Lee, Jung Seung; Ham, Hyoung Min; Kim, In Hwan; Song, Joo Seok.

CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Vol. 2015-October Association for Computing Machinery, 2015. p. 1644-1646.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Page table manipulation attack

AU - Lee, Jung Seung

AU - Ham, Hyoung Min

AU - Kim, In Hwan

AU - Song, Joo Seok

PY - 2015/10/12

Y1 - 2015/10/12

N2 - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

AB - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

UR - http://www.scopus.com/inward/record.url?scp=84954125559&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954125559&partnerID=8YFLogxK

U2 - 10.1145/2810103.2810121

DO - 10.1145/2810103.2810121

M3 - Conference contribution

VL - 2015-October

SP - 1644

EP - 1646

BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -

Lee JS, Ham HM, Kim IH, Song JS. Page table manipulation attack. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Vol. 2015-October. Association for Computing Machinery. 2015. p. 1644-1646 https://doi.org/10.1145/2810103.2810121

Access to Document

10.1145/2810103.2810121