* Pavel Machek <pa...@ucw.cz> wrote:
> On Mon 2017-09-25 09:33:42, Ingo Molnar wrote:
> >
> > * Pavel Machek <pa...@ucw.cz> wrote:
> >
> > > > For example, there would be collision with regular user-space mappings,
> > > > right?
> > > > Can local unprivileged users use mmap(MAP_FIXED) probing to figure out
> > > > where
> > > > the kernel lives?
> > >
> > > Local unpriviledged users can probably get your secret bits using cache
> > > probing
> > > and jump prediction buffers.
> > >
> > > Yes, you don't want to leak the information using mmap(MAP_FIXED), but
> > > CPU will
> > > leak it for you, anyway.
> >
> > Depends on the CPU I think, and CPU vendors are busy trying to mitigate
> > this
> > angle.
>
> I believe any x86 CPU running Linux will leak it. And with CPU vendors
> putting "artifical inteligence" into branch prediction, no, I don't
> think it is going to get better.
>
> That does not mean we shoudl not prevent mmap() info leak, but...
That might or might not be so, but there's a world of a difference between
running a relatively long statistical attack figuring out the kernel's
location, versus being able to programmatically probe the kernel's location
by using large MAP_FIXED user-space mmap()s, within a few dozen microseconds
or so and a 100% guaranteed, non-statistical result.
Thanks,
Ingo
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
