How Kernel Space Mirroring Attacks Bypass Android 8 Security and Enable God Mode

Introduction

Alibaba Security Pandora Lab focuses on mobile security, especially iOS and Android. In March 2023 the team presented a talk titled “Kernel Space Mirroring Attack” at BlackHat Asia, showcasing a novel technique to break Android kernel isolation.

Background

Android 8 (Oreo) introduced security hardening features such as PAN (Privileged Access Never) and KASLR (Kernel Address Space Layout Randomization), making privilege escalation extremely challenging. The article first describes the ReVent generic ROOT method, which exploits a Linux kernel bug in the notification syscall that leads to a heap overflow and an arbitrary kernel write primitive.

The bug occurs when the kernel calculates a filename length, allocates a buffer, and copies the filename, allowing a renamed file to trigger a heap overflow.

Bypassing Existing Defenses

Earlier Android versions could bypass PXN (Privileged Execute Never) by corrupting kernel data pointers. However, Android 8’s PAN prevents the kernel from accessing user‑space data, rendering the previous bypass ineffective.

By leveraging ARM MMU features and a carefully crafted heap layout, the researchers demonstrate how to achieve an almost‑arbitrary kernel write, which can be used to subvert both PXN and PAN.

Kernel Space Mirroring Attack

The attack relies on the classic three‑level page‑table hierarchy (PGD, PMD, PTE) of the Linux kernel. ARM processors use similar page‑table structures, with block and table descriptors that contain physical addresses and access‑permission bits.

By manipulating the descriptor bits, an attacker can create a page‑table entry whose output address points to a physical memory region that is simultaneously accessible from both user and kernel address spaces (AP bits set to ‘01’). This effectively mirrors a kernel virtual address into user space, allowing user‑mode code to modify kernel code and data.

Using the swapper_pg_dir base address and the kernel mirroring base, the required page‑table entry address can be calculated as:

swapper_pg_dir + (Kernel_Mirroring_Base / 1G) * 8

Once the entry is written, the attacker gains “God mode”: the kernel code becomes writable from user space, enabling arbitrary code execution without needing full root privileges.

Demonstration

The article includes images of the exploit flow and a proof‑of‑concept that modifies kernel data structures to patch kernel code directly from user space, effectively bypassing Android 8’s PXN and PAN protections.

Conclusion

Kernel space mirroring not only defeats Android 8’s major defenses but also revives low‑severity vulnerabilities (e.g., CVE‑2017‑0583) by granting them kernel‑level impact. The authors urge hardware designers to consider security at the architectural level to prevent such attacks.