2

In the meltdown official paper released the authors broke the KASLR with 128 steps at worse. Unable to understand how did they come down to that number

Paper for reference

yolob 21
  • 123
  • 3
  • 1
    Possible duplicate of [Meltdown and Spectre Vulnerabilities](https://security.stackexchange.com/questions/176803/meltdown-and-spectre-vulnerabilities) – Xiong Chiamiov Jan 30 '18 at 19:46
  • Or if not a duplicate, please describe what you understand about the attack so we can get to a specific question. – Xiong Chiamiov Jan 30 '18 at 19:46
  • @XiongChiamiov understood that meltdown attack involves breaking KASLR and doing flush+reload attack to exploit the micro architectural vulnerabilities present in the current processors. I understand that KASLR can be broken by either brute-forcing through it or by some information leak(side channel attack via cache access times). what I didn't understand was the math behind 128 steps at worse for breaking KASLR – yolob 21 Jan 31 '18 at 12:08

1 Answers1

4

KASLR (Kernel Address Space Layout Randomization) is a technique for making it harder for an attacker to exploit a vulnerability that they've found. Instead of placing kernel data structures in predictable locations, they get scattered around at random, so an attacker needs to spend time looking for their target data before they can use it.

A 64-bit computer has 264 possible memory addresses. This is far more space than anyone can use right now, so to keep things simple, only a few of the addresses are made available -- for current CPUs, typically 240 addresses.

The number of "bits" of randomization is a measure of how many places there are that something could end up in. With 40 bits of randomization, that's 1,099,511,627,776 possible locations -- if the attacker is looking for a small piece of data such as the root password, they're probably not going to find it before the attack gets stopped.

In the case of Meltdown, though, the target is "a complete copy of physical RAM". This occupies a single continuous block that overlaps many of the possible locations that it could be placed at: in the case of 8 GB of RAM, the equivalent of 33 bits worth of locations. With 40 bits of available addresses, this leaves only 7 bits for randomizing the location. After at most 27 = 128 probes, the attack has found its target and can start reading memory.

Mark
  • 34,513
  • 9
  • 86
  • 135
  • how does the attacker distinguish between kernelspace and userspace memory? Is all userspace memory for all processes mapped into kernel memory? – yolob 21 Jan 31 '18 at 14:07
  • @yolob21, in Linux, kernelspace is the upper half of the address space, while userspace is the lower half. – Mark Jan 31 '18 at 19:22