KAISER: hiding the kernel from user space

Posted Jan 3, 2018 16:55 UTC (Wed) by EdRowland (guest, #120787)
Parent article: KAISER: hiding the kernel from user space

Couldn't you map a dummy page into the holes to prevent timing differences between populated memory that's unreadable at ring 3 and unpopulated memory that now references a dummy page?

KAISER: hiding the kernel from user space

Posted Jan 3, 2018 17:30 UTC (Wed) by excors (subscriber, #95769) [Link] (1 responses)

I guess the main problem with that idea is that page tables take 8 bytes of physical memory per 4KB of virtual address space. If you want to fill up the whole ~48-bit virtual address space with distinct PTEs, you'd need 512GB of page tables.

You could try to reduce the size by e.g. using a single dummy PTE table that's shared by all the higher-level tables, instead of keeping them distinct. But an attacker can likely measure the timing difference between a page walk that fetches the PTE from cache, vs one that fetches it from RAM. If you access address A, then address A+4096, and the second one is fast (i.e. the PTE is already in the cache), you know that's using the dummy PTE, so it's still leaking information about where the kernel is.

KAISER: hiding the kernel from user space

Posted Jan 6, 2018 0:26 UTC (Sat) by ridethewave (guest, #121115) [Link]

>I guess the main problem with that idea is that page tables take 8 bytes of physical memory >per 4KB of virtual address space
Couldn't you just map each virtual address to the same physical address then?