Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process

Explore a groundbreaking Black Hat conference talk that delves into exploiting undocumented CPU behavior to breach trust boundaries and gain insights into kernel mode. Learn how attackers can bypass Kernel Address Space Randomized Layout (KASLR) and map kernel memory without special privileges, even from sandboxed environments. Discover the innovative use of the prefetch instruction to leak information about address translation caches, enabling fast and reliable kernel introspection. Examine the implications for physical-to-virtual address conversion and its potential impact on attacks like Row hammer and cache side-channel exploits. Gain insights into the relevance of these techniques on ARM platforms and hypervisor environments, and consider possible defense strategies against these micro-architectural vulnerabilities.