Locate instantiated PTE by leaking the base address and dynamically using read primitive to retrieve the syscall id.| Boschko Security Blog
Looking at Pass-back-attacks & how to exploit trust relationships between devices that are generally considered benign.| Boschko Security Blog