Page table manipulation attack

Jung Seung Lee; Hyoung Min Ham; In Hwan Kim; Joo Seok Song

doi:10.1145/2810103.2810121

Page table manipulation attack

Jung Seung Lee, Hyoung Min Ham, In Hwan Kim, Joo Seok Song

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

Abstract

The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

Original language	English
Title of host publication	CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1644-1646
Number of pages	3
ISBN (Electronic)	9781450338325
DOIs	https://doi.org/10.1145/2810103.2810121
Publication status	Published - 2015 Oct 12
Event	22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States Duration: 2015 Oct 12 → 2015 Oct 16

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
Volume	2015-October
ISSN (Print)	1543-7221

Other

Other	22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Country	United States
City	Denver
Period	15/10/12 → 15/10/16

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications

Access to Document

10.1145/2810103.2810121

Fingerprint Dive into the research topics of 'Page table manipulation attack'. Together they form a unique fingerprint.

Cite this

Lee, J. S., Ham, H. M., Kim, I. H., & Song, J. S. (2015). Page table manipulation attack. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1644-1646). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October). Association for Computing Machinery. https://doi.org/10.1145/2810103.2810121

@inproceedings{0cbf27de230d40c185c25883323c3b26,

title = "Page table manipulation attack",

abstract = "The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).",

author = "Lee, {Jung Seung} and Ham, {Hyoung Min} and Kim, {In Hwan} and Song, {Joo Seok}",

year = "2015",

month = oct,

day = "12",

doi = "10.1145/2810103.2810121",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1644--1646",

booktitle = "CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security",

note = "22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 ; Conference date: 12-10-2015 Through 16-10-2015",

}

Lee, JS, Ham, HM, Kim, IH & Song, JS 2015, Page table manipulation attack. in CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 2015-October, Association for Computing Machinery, pp. 1644-1646, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 15/10/12. https://doi.org/10.1145/2810103.2810121

Page table manipulation attack. / Lee, Jung Seung; Ham, Hyoung Min; Kim, In Hwan; Song, Joo Seok.

CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2015. p. 1644-1646 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Page table manipulation attack

AU - Lee, Jung Seung

AU - Ham, Hyoung Min

AU - Kim, In Hwan

AU - Song, Joo Seok

PY - 2015/10/12

Y1 - 2015/10/12

N2 - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

AB - The kernel exploit attacks have recently become difficult to be launched because executing either malicious scripts or instructions is prohibited by the DEP/NX (Data Execution Prevention/Not Executable). As an alternative way, return-oriented programming (ROP) could be another option to treat the prevention. However, despite lots of cost for making ROP gadgets, it has no guarantee to assemble the proper gadgets. To overcome this limitation, we introduce Page Table Manipulation Attack (PTMA) to alter memory attribute through page table modification. This attack enables an attacker to rewrite memory attribute of protected memory. We show how to find the page table entry of interest in Master Kernel Page Table and modify its attribute in AArch32 and x86-64. The results show that PTMA effectively circumvents the existing kernel exploitation defenses that are based on memory permission. Copyright is held by the flowner/author(s).

UR - http://www.scopus.com/inward/record.url?scp=84954125559&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954125559&partnerID=8YFLogxK

U2 - 10.1145/2810103.2810121

DO - 10.1145/2810103.2810121

M3 - Conference contribution

AN - SCOPUS:84954125559

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1644

EP - 1646

BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015

Y2 - 12 October 2015 through 16 October 2015

ER -

Page table manipulation attack

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Cite this