Muli Ben-Yehuda's journal

April 26, 2005

catching up on my reading

Filed under: Uncategorized — Muli Ben-Yehuda @ 2:15 PM

Current reading: Linux 2.6.x vsyscalls may be used as powerful attack vectors. The basic premise of this paper is that since each process has the vsyscall code mapped into its address space, and the vsyscall code is almost never changed, if you can figure a way to jmp to it from your shell code you can use various instructions there (or data bytes masquerading as instructions) to aid your shell code. Makes sense, and the usual solutions apply – for example, randomization of the vsyscall page.


  1. I think that gives me something to do on my next train ride.

    Comment by the_p0pe — April 26, 2005 @ 2:55 PM | Reply

    • Plenty more where that came from[1]; I’ll be posting them as I get to them.
      [1] that would be my “stuff to read” pile, of course.

      Comment by mulix — April 26, 2005 @ 3:11 PM | Reply

  2. PaX/GrSecurity
    That’s the reason PaX/GrSecurity disable vsyscalls.

    Comment by Anonymous — April 30, 2005 @ 12:49 AM | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: