Whats the security implication of leaking the root hash?
It's just an example. If you can leak kernel Memory you leak every process memory. So for example you can leak the content of a running browser
Readit Newsbarbito commented on Inception: A simple XOR can cause a Microarchitectural Stack Overflow comsec.ethz.ch/research/m... · Posted by u/ndesaulniers
Very cute! A related trick—which I believe has been used by at least one gc's read barrier—is to turn a branch into a load from an address which will be unmapped iff the branch should be taken.
I didn't understand the idea. Can you please provide more details?
What happens when the actual data itself is also 0x8b8b8b8b?
That is a very good question!
In a nutshell we use a probabilistic approach.
Whenever we get an FP exception due to a 0x8b8b8b8b we do the following:
1. We recover the address of the memory that caused the fault (i.e. the address where 8b8b8b8b is stored)
2. We start to count how many adjacent 8b there are. If we count at least 16 of them we know it's very likely our redzone
3. Finally we use what we call the "0x89 trick": the first byte of the redzone must be 89 (so a redzone looks like 898b8b8b...). If we also find this start marker then we are confident it's not a false positive.
Of course there can be still some false positives, however in programs is not that common to have the value 898b8b8b8b8b8b8b8b8b8b8b8b8b8b8b in memory.
This check is really expensive, however the nice property is that we get so few exceptions that in the end even if we waste a lot of time verifying for false positives the overhead is negligible.
Hey! One of the authors here.
If you prefer we made a short summary of the paper here: https://www.vusec.net/projects/floatzone/
Feel free to ask if you have any doubt
During my research projects I used this website incredibly often. I even cited it in one of my papers :)