Quote:
Originally Posted by mcp
From what I've read it is based on the split TLB technique (see uninformed or newer paper MOrE Shadow Walker).
It works like this:
When translating virtual to physical memory addresses, there is a CPU cache that helps in alleviating the performance impact caused by the translation mechanism: the TLB (translation lookaside buffer). More precisely, there are actually two TLBs: one for data lookups, and one for code lookups.
Now, the basic idea of TLB splitting is to de-synchronize those two TLBs, thereby tricking the OS into mapping the same virtual address to different physical addresses.
Using that technique, one could for instance hide a rootkit in the kernel but still be able to execute code from it. However, when reading that memory, one wouldn't see the actual code. |
In plain simple words , you stoop down so low that you are on the same level as malwares . unlike real world, problem with the internet is that once you invent a "nuclear bomb" you cant keep it on the safe hands . so the good and the bad both guys suffer, the good guys probably more .