Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX

Presented at Black Hat USA 2016, Aug. 3, 2016, 4:20 p.m. (50 minutes).

Kernel hardening has been an important topic, as many applications and security mechanisms often consider the kernel their Trusted Computing Base (TCB). Among various hardening techniques, kernel address space layout randomization (KASLR) is the most effective and widely adopted technique that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory disclosure vulnerability exists and high randomness is ensured. In this talk, we present a novel timing side-channel attack against KASLR, called DrK (De-randomizing Kernel address space), which can accurately, silently, and rapidly de-randomize the kernel memory layout by identifying page properties: unmapped, executable, or non-executable pages. DrK is based on a new hardware feature, Intel Transactional Synchronization Extension (TSX), which allows us to execute a transaction without interrupting the underlying operating system even when the transaction is aborted due to errors, such as access violation and page faults. In DrK, we turned this property into a timing channel that can accurately distinguish the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged address space. In addition to its surprising accuracy and precision, the DrK attack is not only universally applicable to all OSes, even under a virtualized environment, but also has no visible footprint, making it nearly impossible to be detected in practice. We demonstrate that DrK breaks the KASLR of all major OSes, including Windows, Linux, and OS X with near-perfect accuracy in a few seconds. Finally, we propose potential hardware modifications that can prevent or mitigate the DrK attack.


Presenters:

  • Yeongjin Jang - Georgia Institute of Technology
    Yeongjin Jang is a PhD student at Georgia Institute of Technology. His research interests are focused on operating system and mobile security. In addition to the academic research works, he participates various capture-the-flags (CTF), and won the black badge in DEF CON 23 (as a member of team DEFKOR). Before joining to Georgia Tech, he received his BS degree in Computer Science from KAIST in 2010.
  • Sangho Lee - Georgia Institute of Technology
    Sangho Lee is a Postdoctoral Fellow at Georgia Tech. He has interests in all aspects of computer security including system, web, and mobile security.
  • Taesoo Kim - Georgia Institute of Technology
    Taesoo Kim is an Assistant Professor in the School of Computer Science, College of Computing, Georgia Institute of Technology. He is interested in building a system whose underlying principles justify why it should be secure. Those principles include the design of the system, analysis of its implementation, and clear separation of trusted components. He holds the B.S. from KAIST (2009), the S.M. (2011), and the PhD (2014) degrees from Massachusetts Institute of Technology, all in computer science.

Links:

Similar Presentations: