Hi! > > On 22 Nov 2017, at 23:37, Pavel Machek <pa...@ucw.cz> wrote: > > > > Hi! > > > >>>>> If I'm willing to do timing attacks to defeat KASLR... what prevents > >>>>> me from using CPU caches to do that? > >>>>> > >>>> > >>>> Because it is impossible to get a cache hit on an access to an > >>>> unmapped address? > >>> > >>> Um, no, I don't need to be able to directly access kernel addresses. I > >>> just put some data in _same place in cache where kernel data would > >>> go_, then do syscall and look if my data are still cached. Caches > >>> don't have infinite associativity. > >>> > >> > >> Ah ok. Interesting. > >> > >> But how does that leak address bits that are covered by the tag? > > > > Same as leaking any other address bits? Caches are "virtually > > indexed", > > Not on arm64, although I don’t see how that is relevant if you are trying to > defeat kaslr. > > > and tag does not come into play... > > > > Well, I must be missing something then, because I don’t see how knowledge > about which userland address shares a cache way with a kernel address can > leak anything beyond the bits that make up the index (i.e., which cache way > is being shared) >
Well, KASLR is about keeping bits of kernel virtual address secret from userland. Leaking them through cache sidechannel means KASLR is defeated. > > Maybe this explains it? > > > > No not really. It explains how cache timing can be used as a side channel, > not how it defeats kaslr. Ok, look at this one: https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX-wp.pdf You can use timing instead of TSX, right? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
signature.asc
Description: Digital signature
