undefined | Better HN

0 pointscaf8y ago0 comments

They test how a series of branches are predicted after returning from a hypercall, which lets them basically dump out the state of the BTB. From that, and knowledge of where the branches are in the hypervisor binary (the binaries themselves aren't really a secret, only the relocated load address is) they can figure out the load address of the hypervisor.

See the section "Reading host memory from a KVM guest / Locating the host kernel". It's terribly clever.

0 comments

tankenmate8y ago

But if you use AMD ASID it blocks this as memory mappings for VM guests are in a completely separate address space.

What I was wondering was for local OS user mode to local OS root / kernel mode access; i.e. user to kernel privilege escalation.

cafOP8y ago

It isn't obvious at all how a separate address space would block that method.

What would block it is flushing the branch predictor state when switching privilege levels and/or address spaces.

loulan8y ago

I've tried reading it and I still find all of this very confusing. Could you ELI5?

1 more reply

j / k navigate · click thread line to collapse