15 May
2023
15 May
'23
2:28 p.m.
On 5/15/23 06:05, jeffxu@chromium.org wrote:
We're using PKU for in-process isolation to enforce control-flow integrity for a JIT compiler. In our threat model, an attacker exploits a vulnerability and has arbitrary read/write access to the whole process space concurrently to other threads being executed. This attacker can manipulate some arguments to syscalls from some threads.
This all sounds like it hinges on the contents of PKRU in the attacker thread.
Could you talk a bit about how the attacker is prevented from running WRPKRU, XRSTOR or compelling the kernel to write to PKRU like at sigreturn?