On Wed, Sep 20, 2017 at 05:28:11PM -0700, Dave Hansen wrote: > At a high level, does this approach keep an attacker from being able to > determine the address of data in the linear map, or does it keep them > from being able to *exploit* it?
It keeps them from exploiting it, by faulting when a physmap alias is used. > Can you have a ret2dir attack if the attacker doesn't know the > address, for instance? Yes, through a technique similar to heap spraying. The original paper has a study of this, section 5.2 outlines the attack and 7.2 describes their success rate: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Tycho
