[Info-vax] Malware in kernel mode
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Sep 26 15:53:40 EDT 2014
On 2014-09-26, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2014-09-26 14:25:00 +0000, Paul Sture said:
>> Alpha and Itanium got an honourable mention in the OmniUnpack paper...
>
><http://www.acsa-admin.org/2007/papers/151.pdf>
>
>> (PDF page 5)
>> "Many hardware architectures (e.g., Intel IA-64, Sun Sparc, Alpha)
>> offer facilities to enforce the W ⊕ X policy through support for read,
>> write, and execute per- missions at the page level. Unfortunately, the
>> architecture targeted by the vast majority of malicious programs (Intel
>> IA-32) lacks such facilities."
>
> That reference apparently pre-dates the NX no-execute / XD
> execute-disable support available in x86-64.
><http://en.wikipedia.org/wiki/NX_bit>
>
Yes, I've heard of the NX bit. :-)
However, can I ask if you have heard of Return-Oriented Programming ?
Here's some reading material:
https://crypto.stanford.edu/~blynn/rop/
IOW, don't assume that just because there's an NX bit that it's not
possible to work around it.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list