2018年对内核中“二次获取”漏洞的精确以及大范围检测.pdf

1、对内核中“二次获取”漏洞的精确以及 大范围检测佐治亚理工学院计算机系博士在读 SSLab以及IISP成员什么是“二次获取”(What is Double-Fetch?)地址空间分离(Address Space Separation)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Add

2、ress Space 单次获取(How To Do A Single Fetch?)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 0 xF

3、FFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 0 xDEADBEEF单次获取(How To Do A Single Fetch?)0 xFFFFF

4、FFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)*kptr=*uptr;0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space XXXXXX(No Dereference on Userspace Pointer

5、s)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 指定的用户

6、层内存访问函数(Transfer Functions)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Vi