Abstract
Intel SYSTET privilege escalation vulnerability CVE-2012-0217 is recently discovered, which can escalate user privilege ring 3 to kernel system ring 0 and affect many operating systems, such as Intel x64-based versions of Windows 7 and Windows Server 2008 R2. We compared the SYSRET instruction difference between AMD instruction system and Intel instruction system. And summarized the Intel SYSRET privilege escalation procedure according to windows privilege rings structure, IA-32, IA-64 memory model, Intel IA-64 SYSCALL and SYSRET instructions. In the end we discussed CVE-2012-0217 vulnerability as SYSRET privilege escalation.
This work is supported by State Key Laboratory of Information Security (Institute of Software, Chinese Academy of Sciences) (04-02-1), Shanghai Education Commission Innovation Foundation (11YZ192), Shanghai Science and Technology Commission Key Program (11511504400) and National Nature Science Foundation of China under Grant (60903188). Natural science foundation of Shanghai City (NO.12ZR1411900).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Niels, P., Markus, F., Peter, H.: Preventing Privilege Escalation. In: Proceedings of the 12th Conference on USENIX Security Symposium, SSYM 2003, vol. 12, p. 16 (2003)
Toshiyuki, M.: Kernel korner: kernel mode Linux for AMD64. J. Linux Journal 205, 136 (2005)
Keith, A., Ole, A.: A comparison of software and hardware techniques for x86 virtualization. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS-XII, pp. 1–12 (2006)
Arvind, S., Mark, L., Ning, Q., Adrian, P.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, pp. 335–350 (2007)
Sven, B., Lucas, D., Alexandra, D., Thomas, F., Ahmad-Reza, S., Bhargava, S.: POSTER: The Quest for Security against Privilege Escalation Attacks on Android. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 741–743 (2011)
Peter, F., Angela, D.B., Ashvin, G.: Comprehensive kernel instrumentation via dynamic binary translation. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2012, pp. 135–146 (2012)
Avadh, P., Furat, A., Shunfei, C., Kanad, G.: MARSS: a full system simulator for multicore x86 CPUs. In: Proceedings of the 48th Design Automation Conference, DAC 2011, pp. 1050–1055 (2011)
John, R.L., Peter, D., Kanad, G.: SymCall: symbiotic virtualization through VMM-to-guest upcalls. In: Proceedings of the 7th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2011, pp. 193–204 (2011)
The Intel SYSRET privilege escalation, http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
Privilege escalation, http://en.wikipedia.org/wiki/Privilege_escalation
AMD Application Note, SYSCALL and SYSRET Instruction Specification
Intel, Intel® 64 and IA-32 Architectures Software Developer’s Manual Vol.1: Basic Architecture
Intel, Intel® 64 and IA-32 Architectures Software Developer’s Manual Vol. 2 (2A & 2B): Instruction Set Reference, A-Z
Jean, G.: Embedded X86 Programming: Protected Mode, Protection and Segmentation, Paging, http://home.swipnet.se/smaffy/asm/info/embedded_pmode.pdf
IA-64 Architecture, http://www.linuxclustersinstitute.org/conferences/archive/2000/PDF/Tutorial_IA-64.pdf
Jerry, H., Dale, M., Jonathan, R., Hewlett, P., Allan, K., Hans, M., Rumi, Z.: Introduction The IA-64 Architecture, pp. 12–23. IEEE (2000)
iZsh: CVE-2012-0217: Intel’s sysret Kernel Privilege Escalation (on FreeBSD), http://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd.html
CVE-2012-0217, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0217
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, Y., Tian, X., Xu, J., Chen, S., Yang, H. (2012). Intel SYSRET Privilege Escalation Vulnerability Analysis. In: Lei, J., Wang, F.L., Li, M., Luo, Y. (eds) Network Computing and Information Security. NCIS 2012. Communications in Computer and Information Science, vol 345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35211-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-35211-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35210-2
Online ISBN: 978-3-642-35211-9
eBook Packages: Computer ScienceComputer Science (R0)