[Collaborative post by Mateusz 'j00ru' Jurczyk & Gynvael Coldwind]
Early Sunday morning discussion has resulted in j00ru coming up with an idea to mitigate some variants of kernel exploitation techniques by introducing a CPU feature that would disallow execution control transfers in kernel-mode to code residing in user memory area pages (e.g. addresses < 0x80000000 on a 32-bit Windows with default settings). The idea was that the system would mark every page as either being allowed to execute code in ring-0 or not. And hey, guess what... Intel has already proposed such a feature a month ago! Furthermore, it seems that this exact idea was already described in 2008 by Joanna Rutkowska, and two days ago she has published a follow up post on her blog.
Pełna wersja posta jest dostępna po angielskiej stronie lustra (zgodnie z poprzednimi ustaleniami).
Sections
- lang:
| 
- RSS: |
- About me
- Tools
- → YT YouTube (EN)
- → D Discord
- → M Mastodon
- → T Twitter
- → GH GitHub
Links / Blogs
- → dragonsector.pl
- → vexillium.org
- Security/Hacking:
- Reverse Eng./Low-Level:
- Programming/Code:
Posts
- Thoughts on overlarge fields in formats and protocols,
- On self-healing code and the obvious issue,
- LLM + Clean Room: Will LLMs be the death of code copyrights?,
- Solving a VM-based CTF challenge without solving it properly,
- Asking MEMORY.DMP and Volatility to make up,
- KnightCTF 2023 write-ups (RE category),
- Dev Log: Moving contacts from Android to MaxCom MM721,
- Weird PCI-e connector actually works,
- A clever Python challenge – find flag,
- Debug Log: The mystery of usb 3-11 device,
- → see all posts on main page
Add a comment: