Ernestas Poškus

Technical blog

"We must view with profound respect the infinite capacity of the human mind to resist the introduction of useful knowledge." - Thomas R. Lounsbury

| github | goodreads | linkedin | twitter |

ansible 2 / elasticsearch 2 / kernel 2 / leadership 1 / linux 2 / mnemonics 1 / nginx 1 / paper 40 / personal 5 / rust 1 / tools 2 /

Attacking Branch Predictors to Bypass ASLR

WC 140 / RT 1min

Address Space Layout Randomization

ASLR is widely used technique that protects systems against range of attacks.

ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code.

Purpose of ASLR is to make it difficult, if not impossible, for the attacker to know the location of specific code pages in program address space.

Exploited collisions in shared BTBs to create BTB side-channels and allow the attacker process to recover the memory layout of both the kernel and user-level applications.


ASLR - address space layout randomization

BTB - branch target buffer

ROP - return oriented programming


JOP - jump oriented programming

SDC - same domain collisions

PDE - page directory entry