ret2dir: Rethinking kernel isolation

Return-to-user (ret2usr) attacks redirect corrupted kernel pointers to data residing in user space. In response, sev-eral kernel-hardening approaches have been proposed to enforce a more strict address space separation, by pre-venting arbitrary control flow transfers and dereferences from kernel to user space. Intel and ARM also recently introduced hardware support for this purpose in the form of the SMEP, SMAP, and PXN processor features. Un-fortunately, although mechanisms like the above prevent the explicit sharing of the virtual address space among user processes and the kernel, conditions of implicit shar-ing still exist due to fundamental design choices that trade stronger isolation for performance. In this work, we demonstrate how implicit page frame sharing can be leveraged for the complete circumven-tion of software and hardware kernel isolation protec-tions. We introduce a new kernel exploitation technique, called return-to-direct-mapped memory (ret2dir), which bypasses all existing ret2usr defenses, namely SMEP, SMAP, PXN, KERNEXEC, UDEREF, and kGuard. We also discuss techniques for constructing reliable ret2dir exploits against x86, x86-64, AArch32, and AArch64 Linux targets. Finally, to defend against ret2dir attacks, we present the design and implementation of an exclu-sive page frame ownership scheme for the Linux ker-nel that prevents the implicit sharing of physical memory pages with minimal runtime overhead.