Return-to-user (ret2usr) attacks redirect corrupted kernel pointers to controlled data residing in user space, by taking advantage of the weak separation of the kernel context from user space, as for performance reasons the kernel is typically mapped into the address space of every process. In response to such attacks, several kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and dereferences from kernel to user space. Intel and ARM recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features.
In this presentation, we show that although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the kernel, conditions of implicit sharing still exist due to fundamental OS design choices that trade stronger isolation for performance. We demonstrate how implicit data sharing can be leveraged for the complete circumvention of software and hardware kernel isolation protections, by introducing a new kernel exploitation technique, dubbed return-to-direct-mapped memory (ret2dir). ret2dir bypasses existing ret2usr protections, such as PaX's KERNEXEC and UDEREF, Intel's SMEP and SMAP, as well as ARM's PXN, by taking advantage of the kernel's direct-mapped physical memory region. We present techniques for constructing ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets that bypass all tested protection mechanisms (KERNEXEC, UDEREF, SMEP, SMAP, and PXN). To mitigate ret2dir attacks, we also discuss the design and implementation of an exclusive page frame ownership scheme for the Linux kernel that prevents the implicit sharing of physical memory pages.