Analysis of ROP Attack on Grsecurity/PaX Linux Kernel Security Variables

摘要

The kernel and memory exploitation is highly destructive, and able to take control over one's system in result. Grsecurity/PaX module restrict application that exploit other processes, services or other users' id application introducing prevention method such as Writable XOR Executable (W {direct+}X). However, some modern attacks under code-reuse attack like Return-oriented Programming (ROP) may bypass this defense line easily. In this project, the Grsecurity/PaX compiled Linux kernel, will be tested by building a vulnerable program as sample for demonstration purpose, and constructing an exploit to test this environment. The sample vulnerable program is written in C programming language, whereas Python programming language will be used to construct the attacking script or as direct shell execution purpose, and Perl programming language will be merely used as direct shell execution purpose only. In short, return-oriented programming (ROP) or ROP without return, methods will be mainly used in constructing attack. From the experiment conducted, the combination of those methods is possible to bypass traditional protection like Writable XOR Execution (W {direct+} X) in 32 bits or Never eXecute (NX) in 64 bits. We propose a mitigation technique that can prevent large surface of kernel and memory attacks by killing the common path that taken by ROP attack at very early stage, by using just a few bytes of inline assembly code in C language, to have low performance impact and effective measure.