> Edit: The strategy in the paper requires allocating a bunch of physical memory from all the small blocks so that memory allocation requests from a new process are allocated deterministically to a desired physical row.
Honest question, because I'm not a security expert: can you do this without having already pwned your target to such a degree that this would be unnecessary?
However, historically, these sorts of attacks always get better, not worse.
And while even that can sometimes be empty rhetoric, I will say in the last 5 years I'm seeing a lot of security attacks that are already well beyond what even my moderately-trained intuition would suggest are possible, so I have to admit I've sort of given up on trying to guess on whether or not an attack can be made practical. I've seen too many mind-blowing presentations from security researchers to think I can bound their abilities safely. I wouldn't care to bet that they won't move the attacks I already am flabbergasted can exist to some other even-more practical attack that I am flabbergasted can exist.
This is unrelated to the current matter, but let me give you an example: https://www.youtube.com/watch?v=_eSAF_qT_FY If you think that's trivially obvious, and you're confident you can predict how these sorts of things will play out in the future, more power to you, but I'm certainly not justified in that belief at my skill level. I'm just happy I can follow that presentation!
Yeah, it seems that whenever an exploit "doesn't seem practical for actual use" it is just one more exploit-in-the-chain away from being operationalized.
So many systems have unspecified, undocumented and undertested behaviors that have not been exploited only because no one has ever tried.
Presumably there would be value in releasing the "impractical for actual use" version to the public after you have already operationalized and not before.
> Honest question, because I'm not a security expert: can you do this without having already pwned your target to such a degree that this would be unnecessary?
The paper describes strategies for manipulating a target box into doing just this.
I am also not a security expert, but it seems like VM's that are shared in the cloud are the targets for a lot of these types of attacks. You don't need to pwn the other VM, but you don't exactly get to choose which VM's you cohabitate with to target your attacks.
Honest question, because I'm not a security expert: can you do this without having already pwned your target to such a degree that this would be unnecessary?