On Fri, Sep 13, 2024 at 05:07:46PM GMT, Maxwell Bland wrote: > make a standard framework for EL2-based kernel protection open source, then we > have a counter of the 29,000ish writable datastructures,and well defined > mechanisms for preventing malicious modification via write gadgets Ugh, this is a complicated issue and I wrote this email quickly, let me clarify, apologies: 1 I am worried about write gadgets (e.g. UAF + heap spray) 2 _Some_ modern exploits use write gadgets to modify read-only data (e.g. code pages), most target dynamic data, such as device struct pointers and kworker queues. 3 I'm working to build an open-source system that will reduce the ARM64 kernel's threat surface for write gadgets to the _just_ those targeting dynamic data. 4 After that point, there is still the issue of developing a verification framework for updates to approx. 29,000 dynamic data structures (based on our generated vmlinux) in the kernel. Attempts like ARM MTE are the most promising approaches so far. That is, I'm suggesting empirically measuring the set of datastructures vulnerable to the write gadget stage of current exploits and then taking steps to reduce the number of datastructures and impact on those datastructures a write gadget can have. Hopefully the above explanation will help remove some of the confusion resulting from my poor writing. Thanks, Maxwell
