Secure Operating Systems Lesson 0x12h: Return to User Where are we? Done! Yay! Code Complete! But there’s always more So, let’s look at a new trend in OS exploitation: ret2usr Exploiting the Kernel When we exploit the kernel, it can be hard to actually gain control In particular, NULL pointer dereference has often been thought of as unexploitable… Fortunately (?) that’s not true: return to user!!! Underlying Vuln Think about memory layout for a little bit… Right… the kernel can still write to user space (any part of user space) This means that ‘nuisance’ attacks like NULL pointer dereference can be deadly in Kernel space (i.e. deadly == not just a DoS attack) What happens… Imagine we can get a struct inside the kernel to be dereferenced, and this struct contains a function pointer which the kernel will use… Boom! The pointer is now in memory which is valid in user mode (somewhere around – x000000nn, typically) Aside: this is really confused deputy all over again Example Exploit Let’s look at the step-by-step vuln in the paper… Discussion: turtles all the way down? SMEP Supervisor Mode Execution Prevention Prevent code execution of user-mode code page in CPL=0 Note: does not prevent modification (read and write) Does not raise a #GP but a #PF Can use kernel mode ROP to avoid this… Questions & Comments What do you want to know?