Ernestas Poškus

Technical blog

| github | linkedin | twitter |

ansible 2 / kernel 1 / learning 26 / linux 2 / nginx 1 / paper 26 / personal 2 / research 25 / review 26 / rust 1 / scientific 26 / tools 2 /

Attacking Branch Predictors to Bypass ASLR

WC 140 / RT 1min


Address Space Layout Randomization

ASLR is widely used technique that protects systems against range of attacks.

ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code.

Purpose of ASLR is to make it difficult, if not impossible, for the attacker to know the location of specific code pages in program address space.

Exploited collisions in shared BTBs to create BTB side-channels and allow the attacker process to recover the memory layout of both the kernel and user-level applications.

Notes

ASLR - address space layout randomization

BTB - branch target buffer

ROP - return oriented programming

KASLR - Kernel ASLR

JOP - jump oriented programming

SDC - same domain collisions

PDE - page directory entry