Ernestas Poškus

Technical blog

"We must view with profound respect the infinite capacity of the human mind to resist the introduction of useful knowledge." - Thomas R. Lounsbury

ansible 2 / elasticsearch 2 / kernel 2 / leadership 1 / linux 2 / mnemonics 1 / nginx 1 / paper 40 / personal 5 / rust 1 / tools 2 /

Attacking Branch Predictors to Bypass ASLR

Author: Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh
Name: Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Link: http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

Thu, Sep 14, 2017

WC 140 / RT 1min

Address Space Layout Randomization

ASLR is widely used technique that protects systems against range of attacks.

ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code.

Purpose of ASLR is to make it difficult, if not impossible, for the attacker to know the location of specific code pages in program address space.

Exploited collisions in shared BTBs to create BTB side-channels and allow the attacker process to recover the memory layout of both the kernel and user-level applications.

Notes

ASLR - address space layout randomization

BTB - branch target buffer

ROP - return oriented programming

KASLR - Kernel ASLR

JOP - jump oriented programming

SDC - same domain collisions

PDE - page directory entry