On Thu, Jan 11, 2018 at 10:57:51AM -0800, Dave Hansen wrote: > On 01/11/2018 10:51 AM, Linus Torvalds wrote: > > On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen > > <[email protected]> wrote: > >> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote: > >>>> hmm. Exposing cr3 to user space will make it trivial for user process > >>>> to know whether kpti is active. Not sure how exploitable such > >>>> information leak. > >>> It's already trivial to detect PTI from user space. > >> Do tell. > > One way to do it is to just run the attack, and see if you get something. > > Not judging how trivial (or not) the attack is, I was hoping for > something that was *not* the attack itself. :) > > I'd love to have a tool that tells you for sure "KPTI enabled or not", > but I'd also love to have it be something I can easily distribute > without it being handled like a WMD.
Instead of the meltdown attack, why not just run the KASLR attack, with prefetches + cache timing? Something like this (I haven't tested it though): https://github.com/IAIK/prefetch/blob/master/addrspace/addrspace.c Andrea also created such a tool, but IIRC, it requires knowing a kernel address, so it wouldn't work with KASLR. It could probably be extended to scan kernel space until it finds something. We could maybe even add such a tool to the kernel tree. -- Josh
