[Collaborative post by Mateusz 'j00ru' Jurczyk & Gynvael Coldwind]

Early Sunday morning discussion has resulted in j00ru coming up with an idea to mitigate some variants of kernel exploitation techniques by introducing a CPU feature that would disallow execution control transfers in kernel-mode to code residing in user memory area pages (e.g. addresses < 0x80000000 on a 32-bit Windows with default settings). The idea was that the system would mark every page as either being allowed to execute code in ring-0 or not. And hey, guess what... Intel has already proposed such a feature a month ago! Furthermore, it seems that this exact idea was already described in 2008 by Joanna Rutkowska, and two days ago she has published a follow up post on her blog.

Pełna wersja posta jest dostępna po angielskiej stronie lustra (zgodnie z poprzednimi ustaleniami).

Add a comment:

URL (optional):
Math captcha: 1 ∗ 3 + 2 =