Ernestas Poškus

Technical blog

"We must view with profound respect the infinite capacity of the human mind to resist the introduction of useful knowledge." - Thomas R. Lounsbury

| github | linkedin | twitter |

ansible 2 / elasticsearch 2 / kernel 1 / learning 27 / linux 2 / mnemonics 1 / nginx 1 / paper 27 / personal 5 / research 26 / review 27 / rust 1 / scientific 27 / tools 2 /

Attacking Branch Predictors to Bypass ASLR

WC 140 / RT 1min


Address Space Layout Randomization

ASLR is widely used technique that protects systems against range of attacks.

ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code.

Purpose of ASLR is to make it difficult, if not impossible, for the attacker to know the location of specific code pages in program address space.

Exploited collisions in shared BTBs to create BTB side-channels and allow the attacker process to recover the memory layout of both the kernel and user-level applications.

Notes

ASLR - address space layout randomization

BTB - branch target buffer

ROP - return oriented programming

KASLR - Kernel ASLR

JOP - jump oriented programming

SDC - same domain collisions

PDE - page directory entry