Coming for Your Business. The only blog-related issue you may notice in the coming months involves a review of old blog posts. I recommend at least a month, but up to six months if you can manage it. Never pay for something until you can see it. We scan the large region we mapped to see whether any of the PTEs now point to pages other than our data file. We do this spraying by mmap()ing the same file repeatedly. In preparation for spraying page tables, we create a file in /dev/shm (a shared memory segment) that we will mmap() repeatedly. Do a second scan of address space to find a second virtual page that now points to somewhere other than our data file. Hopefully this is one of the page tables for our address space. We want each mapping to be at a 2MB-aligned virtual address, since each 4k page table covers a 2MB region of virtual address space. Again, for speed, we only need to check the Nth page within each 2MB chunk.

We only need to populate one PTE per page table: We know our bit flip hits the Nth PTE in a page table, so, for speed, we only fault in the Nth 4k page in each 2MB chunk. If that changes from 0 to 1 or from 1 to 0, the PTE will still point to a valid physical page. We write a marker value at the start of each 4k page in the file so that we can easily identify these pages later, when checking for PTE changes. If this changes from 0 to 1, that will produce a page number that’s bigger than the system’s physical memory, which isn’t useful for our exploit, so we can skip trying to use this bit flip. If we find aggressor/victim addresses where the bit flipped within the 64-bit word isn’t useful for the exploit, just skip that address set. We hammer the aggressor addresses. Having finished spraying, it’s hammer time.

For example, in order to diagnose a problem you are having with the Slack services, we may need to access your Customer Data. Having one’s name wrongly added to the Death Master File causes massive problems. At the same time, we want to keep the data file as small as possible so as not to waste memory that could instead be filled with page tables. A small town near the U.S.-Mexico border began cleaning up Monday, gripped by fear after the killing of 22 people in a ferocious weekend gunbattle between drug cartel members and security forces. When examining the greatest risks and needs in critical infrastructure sectors, the course authors looked carefully at the core security principles necessary for the range of tasks involved in supporting control systems on a daily basis. Ability to drive out of state when necessary while keeping in constant communication with dispatch. We can check for the marker value we wrote earlier. Now we can check whether PTEs changed exploitably.

Check the next post for thoughts on that. If we find a marker mismatch, then we have gained illicit access to a physical page. If we find no marker mismatches, our attempt failed (and we could retry). If we don’t find it, our attempt failed (and we could retry). Otherwise, munmap() all but the aggressor and victim pages and begin the exploit attempt. If not, our attempt failed (and we could retry). 2. We spray most of physical memory with page tables. We are now ready to spray memory with page tables. We now have write access to one of our process’s page tables. We could modify our process’s UID field. The Nth 64-bit field should look like a PTE (certain bits will be set or unset) and the rest should be zero. With the introduction of Teams, Snapshots, Clones, and other advances over the 3.x and 4.x lines, I look forward to learning how to make the best use of VMware in my classes and in testing scenarios.