geohot: well actually it's pretty simplegeohot: i allocate a piece of memorygeohot: using map_htab and write_htab, you can figure out the real address of the memorygeohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot:and since i allocated it, i can map it read/write
geohot:then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control busgeohot: the cache writeback misses the memory :)geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocatedgeohot: then i create a virtual segment with the htab overlapping that piece of memory i havegeohot: write an entry into the virtual segment htab allowing r/w to the main segment htabgeohot: switch to virtual segmentgeohot: write to main segment htab a r/w mapping of itselfgeohot: switch backgeohot: PWNEDgeohot: and would work if memory were encrypted or had ECCgeohot: the way i actually glitch the memory bus is really funnygeohot: i have a button on my FPGA boardgeohot: that pulses low for 40nsgeohot: i set up the htab with the tons of entriesgeohot: and spam press the buttongeohot: right after i send the deallocate call
Pastie << self Blog
