Credit: Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis
ret2dir is a new kernel exploitation technique that uncovered how fundamental OS design practices and implementation decisions can significantly weaken the effectiveness of state-of-the-art kernel protection mechanisms.
Return-to-user (ret2usr) attacks are the de-facto kernel exploitation technique in commodity OSes. In a ret2usr attack, kernel code or data pointers are overwritten with user-space addresses after exploiting certain memory corruption vulnerabilities in kernel code. This allows attackers to execute shellcode with kernel rights by hijacking a privileged control path and redirecting it to user space memory, easily circumventing protections like kernel ASLR and NX. In essence, ret2usr attacks take advantage of the weak separation of the kernel context from user space (i.e., kernel code and data are inaccessible from code running in user mode, but the kernel has complete and unrestricted access to the whole address space, including user code and data), as for performance reasons the kernel is typically mapped into the address space of every running process. In response to such attacks, several kernel-hardening approaches have been proposed to enforce a more strict address space separation, by preventing arbitrary control flow transfers and data accesses from kernel to user space. Intel and ARM recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features.
In their work, Kemerlis et al. showed that although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the kernel, conditions of implicit sharing still exist due to fundamental OS design choices that trade stronger isolation for performance. They demonstrated how implicit data sharing can be leveraged for the complete circumvention of software and hardware kernel isolation protections, by introducing a new kernel exploitation technique, dubbed return-to-direct-mapped memory (ret2dir). ret2dir bypasses existing ret2usr protections, such as PaX’s KERNEXEC and UDEREF, Intel’s SMEP and SMAP, as well as ARM’s PXN, by taking advantage of the kernel’s direct-mapped physical memory region. They also presented techniques for constructing ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets that bypass all tested protection mechanisms (KERNEXEC, UDEREF, SMEP, SMAP, and PXN). Finally, to mitigate ret2dir attacks, they also discussed the design and implementation of an eXclusive Page Frame Ownership (XPFO) scheme for the Linux kernel that prevents the implicit sharing of physical memory pages.