Skip to content

Implement prefetch KASLR leak #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GJL wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Implement prefetch KASLR leak #152

GJL wants to merge 3 commits into from

Conversation

@GJL
Copy link
Collaborator

@GJL GJL commented Nov 27, 2025

No description provided.

koczkatamas
koczkatamas approved these changes Nov 28, 2025
View reviewed changes
Copy link
Collaborator

@koczkatamas koczkatamas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I had one question / change suggesion.

libxdk/util/pwn_utils.cpp Outdated
const uint64_t KASLR_SLOT_SIZE = 0x200000;

// The number of prefetch measurements per candidate address.
const int KASLR_NUM_MEASUREMENTS = 100;
Copy link
Collaborator

@koczkatamas koczkatamas Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How fast is the current leak algorithm (in seconds or milliseconds)?

If it is considerable amount (>500ms), then we should consider making this configurable (e.g. as an optional parameter for leak_kaslr_base) because in case of kernelCTF sometimes there is a race, and the seconds (milliseconds) matter who wins, so maybe researchers want to lower this value in some cases.

It is also possible that we want to increase this value in case of more noisy systems, I don't know how much noise affects prefetch leaks.

Copy link
Collaborator Author

@GJL GJL Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Around 500k µs for 100 leaks on my laptop so around 5 ms per leak. I will make it configurable nonetheless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@koczkatamas koczkatamas koczkatamas approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GJL @koczkatamas