On Fri, Oct 19, 2018 at 09:43:35AM -0700, Tim Chen wrote: > On 10/19/2018 12:57 AM, Peter Zijlstra wrote: > > On Wed, Oct 17, 2018 at 10:59:28AM -0700, Tim Chen wrote: > >> Application to application exploit is in general difficult due to address > >> space layout randomization in applications and the need to know an > > > > Does the BTB attack on KASLR not work for userspace? > > > > With KASLR, you can probe the kernel mapped and unmapped > addresses with side channels like TLB and infer the kernel mapping > offsets much more easily, as kernel is in the same address > space as the attack process. It is a lot harder to do > such probing from another process that doesn't share the > same page tables.
I said BTB; see: http://www.cs.binghamton.edu/~dima/micro16.pdf >From what I understood, local ASLR (of any kind) is a pipe dream.
