Practical SMEP Bypass Techniques on Linux

Presented at Kiwicon 9: Cyberwar Is Hell (2015), Dec. 10, 2015, 3 p.m. (45 minutes)

The Linux kernel has always been an appealing target for exploit developers due to the exploitation complexity associated with user space processes (ASLR, NX, Canaries, Fortify, RELRO, etc.). Common ret2usr (return-to-user) attacks typically redirect kernel control flow to data residing in user space: a corrupted function or data structure pointer that triggers a privilege escalation payload in user space. These attacks were successful until around 2013 before the introduction of 3rd generation Intel Core processors (Ivy Bridge) with SMEP support. SMEP (Supervisor Mode Execution Protection) is a hardware feature that prevents attempts to execute code (at CPL = 0) residing in user space pages. This kernel-hardening approach is now widely adopted and effectively mitigates common exploitation patterns of kernel vulnerabilities. This presentation introduces practical Linux SMEP bypasses involving in-kernel ROP and spraying techniques. We will demonstrate how to convert an existing exploit code to a fully weaponised SMEP-aware exploit. This talk will concentrate on a specific kernel vulnerability and OS version to demonstrate the bypass but the exploitation techniques presented are generic and can be applied to other Operating Systems that employ explicit sharing of the virtual address space among user processes and the kernel.

Presenters:

  • Vitaly Nikolenko
    Vitaly is a security researcher specialising in malware analysis and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on Linux kernel exploitation techniques (SMEP/SMAP, ASLR bypasses) and the associated countermeasures. He currently works as a pentester and has performed countless penetration tests for large financial and governmental institutions.

Links:

Similar Presentations: