ARM PAN
a year ago
- #PAN
- #ARM
- #security
- PAN (Privileged Access Never) is a CPU feature on ARM chips (A10 and later) that prevents kernel access to userland memory.
- A bug was discovered where execute-only (--x) memory mappings do not trigger PAN, allowing kernel access to userland memory.
- The issue stems from ARM's specification where PAN checks only for read permissions, ignoring execute permissions (UXN bit).
- Exploitability depends on the OS allowing execute-only mappings. Linux fixed this by disabling such mappings, but iOS may still be vulnerable.
- Potential exploits include fake vtables, ROP chains, or dereferencing 32-bit values, provided the memory is faulted in and signed.
- Possible fixes include updating the ARM spec, disabling execute-only mappings, or using Apple's APRR feature to strip permissions.
- Mitigations can conflict, as seen here with execute-only memory breaking PAN, highlighting the fragility of layered security measures.