Page Fault Liberation Army Or Better Security Through Trapping presented at Shmoocon 2013

by Sergey Bratus, Julian Bangert,

Summary : x86 processors contain a surprising amount of built-in memory translation logic, which is driven by various data tables with intricate entry formats, and can produce various kinds of traps and other interesting computational effects. These features are mostly relics of earlier, more civilized times, when Jedi Knights tried to protect the Old Republic OS’s with segmentation, supervisor bits, and hardware task support, but were defeated by processor de-optimizations and performance concerns and left unused by both Windows and UNIX systems – and explored only by hackers. While the rest of the world programs only the x86 CPU with the provided instructions, clever neighbours like the PaX team instead program the MMU to enforce security policy.
We will show that the MMU is in fact a Turing-complete processor in its own right and demonstrate some tools that help to unleash its computational power. Furthermore, we will show some design suggestions (and possibly a FPGA prototype) to make the virtual memory system more suitable and easier to use as an enforcer of runtime policy.

Sergey Bratus: Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. In Mathematics from Northeastern University.