Bard spotting on Bluesky 16 October 2024

So the problem the hyperspace is trying to solve is this: In modern processors, addresses are translated from virtual addresses to physical addresses through the page tables. So far so good. In x64, for example, you put the physical address of the page table into CR3, enable CR0.PG and away you go

Pwnallthethings (@pwnallthethings.bsky.social):

But where are those page tables? Why, in memory, of course. And where in memory is that? Wherever the page tables say they are, of course. So it's one of the (many) recursive boot-strapping problems in OS design is how to actually do that

Pwnallthethings (@pwnallthethings.bsky.social):

So suppose you want to add a page to the address space. That means assigning (or finding) the 4-level entry, walking down to the 3-level entry, then the 2-level entry, then inserting the page's 1-level PTE entry. Once you've done that, the next access to that address will cache-miss, and load it in

Pwnallthethings (@pwnallthethings.bsky.social):

The hyperspace region does this in a neat way. Rather than walking the pages, super-map them into your own address space as a fractal. That means given an address, finding the address of the 4-level entry is a single shift-and-add. The 3-level entry is two shifts and adds, etc

Pwnallthethings (@pwnallthethings.bsky.social):

So the hyperspace is a fractal view of the address space. 0xc0000000-0xc8000000 or whatever is all PTEs. Except for 0xc0c00000-0xc0c80000 becomes PDEs. Except for 0xc0c0c000-0xc0c0c800 becomes PML4s. And adding a page is walking outwards from that fractal

Pwnallthethings (@pwnallthethings.bsky.social):

And then if that doesn't hurt your head enough, you probably don't want a blind kwrite to be able to mess with your page tables. But if you that, KASLRing has the effect of not just changing the address, but also the /skew-angle/ into which the fractal goes from PTEs towards PML4s.

Pwnallthethings (@pwnallthethings.bsky.social):

So as an extreme example, if you put your page tables at address 0, the inner-most fractal is the /first/ page (at zero). If you put your page tables at the end of the address space, the inner-most fractal is the /last/ page. KASLRing it doesn't just change where the map is it changes its layout too

Pwnallthethings (@pwnallthethings.bsky.social):

Also all of this stuff is undebuggable. Because where is your debugging code? In memory! But where? Why, wherever the page tables say they are. So designing stuff like this is sitting around a whiteboard and thinking for three days and then writing it and hoping the computer doesn't just switch off.

Coyote ^.^ ΘΔ (@coyoteden.bsky.social):

It's debuggable in a VM from the hypervisor, or even on bare metal via SMM, right?

Ms. Penny 🌅🧙♀️ Oaken (@skywitches.net):

I ceased being able to consistently debug code when threading and predictive branching was introduced, so I imagine that the "is debuggable" in your question is doing a lot of heavy lifting

Coyote ^.^ ΘΔ (@coyoteden.bsky.social):

As far as execution, yeah, but when it comes to "do the page tables make sense or are they trashed" you should be able to halt and inspect memory from the hypervisor or via SMI, even if a kernel debugger can't do it.