Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- geohot: well actually it's pretty simple
- geohot: i allocate a piece of memory
- geohot: using map_htab and write_htab, you can figure out the real address of the memory
- geohot: which is a big win, and something the hv shouldn't allow
- geohot: i fill the htab with tons of entries pointing to that piece of memory
- geohot: and since i allocated it, i can map it read/write
- geohot: then, i deallocate the memory
- geohot: all those entries are set to invalid
- geohot: well while it's setting entries invalid, i glitch the memory control bus
- geohot: the cache writeback misses the memory :)
- geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
- geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
- geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
- geohot: switch to virtual segment
- geohot: write to main segment htab a r/w mapping of itself
- geohot: switch back
- geohot: PWNED
- geohot: and would work if memory were encrypted or had ECC
- geohot: the way i actually glitch the memory bus is really funny
- geohot: i have a button on my FPGA board
- geohot: that pulses low for 40ns
- geohot: i set up the htab with the tons of entries
- geohot: and spam press the button
- geohot: right after i send the deallocate call
Add Comment
Please, Sign In to add comment