Re: [Patch v3 00/13] Provide process property based options to enable Spectre v2 userspace-userspace protection

From: Peter Zijlstra
Date: Fri Oct 19 2018 - 14:38:53 EST


On Fri, Oct 19, 2018 at 09:43:35AM -0700, Tim Chen wrote:
> On 10/19/2018 12:57 AM, Peter Zijlstra wrote:
> > On Wed, Oct 17, 2018 at 10:59:28AM -0700, Tim Chen wrote:
> >> Application to application exploit is in general difficult due to address
> >> space layout randomization in applications and the need to know an
> >
> > Does the BTB attack on KASLR not work for userspace?
> >
>
> With KASLR, you can probe the kernel mapped and unmapped
> addresses with side channels like TLB and infer the kernel mapping
> offsets much more easily, as kernel is in the same address
> space as the attack process. It is a lot harder to do
> such probing from another process that doesn't share the
> same page tables.

I said BTB; see: http://www.cs.binghamton.edu/~dima/micro16.pdf

>From what I understood, local ASLR (of any kind) is a pipe dream.