On 10/19/2018 12:57 AM, Peter Zijlstra wrote: > On Wed, Oct 17, 2018 at 10:59:28AM -0700, Tim Chen wrote: >> Application to application exploit is in general difficult due to address >> space layout randomization in applications and the need to know an > > Does the BTB attack on KASLR not work for userspace? >
With KASLR, you can probe the kernel mapped and unmapped addresses with side channels like TLB and infer the kernel mapping offsets much more easily, as kernel is in the same address space as the attack process. It is a lot harder to do such probing from another process that doesn't share the same page tables. Tim
