KASLR is Dead: Long Live KASLR

Gruss, Daniel; Lipp, Moritz; Schwarz, Michael; Fellner, Richard; Maurice, Clémentine; Mangard, Stefan

doi:10.1007/978-3-319-62105-0_11

Cited by 149 publications

(115 citation statements)

References 12 publications

Supporting

Mentioning

114

Contrasting

Order By: Relevance

“…For example, spectre can be mitigated by isolation or by removing the observation channels . The meltdown attack can be mitigated by employing KAISER which has been discussed in References . Here we want to comment that microarchitecture attacks are good for data extraction, but any attack based on hardware exploit which can execute code hidden from all software security measures or gain the highest privileges would be more disastrous.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

A study of hardware architecture based attacks to bypass operating system security

Lokhande

Vidyarthi

2019

Security and Privacy

View full text Add to dashboard Cite

Malware target a vulnerability, bug or loophole in software to exploit the system, escalate privileges, extract inaccessible data, or execute code for malicious purpose. We can assert that over the period of time, both hardware and software have evolved and so are their vulnerabilities. But most of the vulnerabilities identified or researched are software oriented. On similar lines, there can be vulnerabilities in the hardware architecture that can be exploited, hidden from upper layer securities like operating system (OS) reference monitor, antivirus, etc. It is difficult to trace the vulnerabilities in the hardware primarily due to complex architecture and difficulties to observe the effects of operations performed across the system. Just like the software, the hardware architecture can also be exploited to develop malware and to gain access to sensitive data. This paper discusses the attacks that exploit the operations performed at the hardware level. We have discussed the different exploits that use the hardware architecture to extract data, their limitations and the future of hardware architecture based exploits. At the end, the data extraction process is validated through our implementation of one of the hardware architecture based exploits.We question about the impact on system security if the hardware architecture is exploited. K E Y W O R D Sarchitectural vulnerability, hardware attacks, micro-architectural attacks, side channel INTRODUCTIONAll the operations on a computer, at the lowest level, are hardware dependent. Over the course of time computers have evolved from simple computing machines to very complex machines, thanks to the evolution of software and the hardware that drives it. As the hardware and software have evolved, so are the vulnerabilities associated with them. It is commonly observed that software vulnerabilities are detected frequently and patched, but same is not the case with hardware vulnerabilities. Vulnerabilities in hardware architecture are not much researched as extensively as software, apart from its developers, in the cyber security domain. This leads to many hardware-based attacks such as • Rowhammer, 1,2 an attack that exploits bit flipping in DRAM due to continuous access, which bypasses the memory isolation and breaks security boundaries. • Exploitation of the instruction cache. 3 • Side channel attacks that can extract data using a nontraditional way of communication. 4-6 Security Privacy. 2019;2:e81.wileyonlinelibrary.com/journal/spy2

show abstract

Section: Discussionmentioning

confidence: 99%

“…As discussed in Reference , Meltdown can be mitigated by using Kernel Address Space Layout Randomization, but can be broken easily. KAISER is a kernel modification which does not allow kernel memory mapped to user space mitigates the meltdown attack.…”

Section: Hardware‐oriented Attacksmentioning

confidence: 99%

A study of hardware architecture based attacks to bypass operating system security

Lokhande

Vidyarthi

2019

Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Otherwise, we have found a virtual page V a that points to a physical page outside of the tmp file due to the bit flips. Next, we need to check if the page V a itself is a writable page-table page (line [10][11][12][13][14][15][16][17][18]. To this end, we pretend that V a is a writable page table and tentatively modify one of the entry.…”

Section: Privilege Escalationmentioning

confidence: 99%

CATTmew: Defeating Software-Only Physical Kernel Isolation

Cheng

Zhang

Nepal

et al. 2021

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

All the state-of-the-art rowhammer attacks can break the MMU-enforced inter-domain isolation because the physical memory owned by each domain is adjacent to each other. To mitigate these attacks, physical domain isolation, introduced by CATT [7], physically separates each domain by dividing the physical memory into multiple partitions and keeping each partition occupied by only one domain. CATT implemented physical kernel isolation as the first generic and practical software-only defense to protect kernel from being rowhammered as kernel is one of the most appealing targets. In this paper, we develop a novel exploit that could effectively defeat the physical kernel isolation and gain both root and kernel privileges. Our exploit can work without exhausting the page cache or the system memory, or relying on the information of the virtual-to-physical address mapping. The exploit is motivated by our key observation that the modern OSes have double-owned kernel buffers (e.g., video buffers and SCSI Generic buffers) owned concurrently by the kernel and user domains. The existence of such buffers invalidates the physical kernel isolation and makes the rowhammer-based attack possible again. Existing conspicuous rowhammer attacks achieving the root/kernel privilege escalation exhaust the page cache or even the whole system memory. Instead, we propose a new technique, named memory ambush. It is able to place the hammerable double-owned kernel buffers physically adjacent to the target objects (e.g., page tables) with only a small amount of memory. As a result, our exploit is stealthier and has fewer memory footprints. We also replace the inefficient rowhammer algorithm that blindly picks up addresses to hammer with an efficient one. Our algorithm selects suitable addresses based on an existing timing channel [31]. We implement our exploit on the Linux kernel version 4.10.0. Our experiment results indicate that a successful attack could be done within 1 minute. The occupied memory is as low as 88MB.

show abstract

“…We choose seL4 as it implements the fastest synchronous IPC across several modern microkernels [68]. To defend against Meltdown attacks, seL4 provides support for a page-tablebased kernel isolation mechanism similar to KPTI [41]. However, this mechanism negatively affects IPC performance due to an additional reload of the page table root pointer.…”

Section: Vmfunc Domain-crossingsmentioning

confidence: 99%

Lightweight kernel isolation with virtualization and VM functions

Narayanan

Huang

Tan

et al. 2020

Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

View full text Add to dashboard Cite

Commodity operating systems execute core kernel subsystems in a single address space along with hundreds of dynamically loaded extensions and device drivers. Lack of isolation within the kernel implies that a vulnerability in any of the kernel subsystems or device drivers opens a way to mount a successful attack on the entire kernel.Historically, isolation within the kernel remained prohibitive due to the high cost of hardware isolation primitives. Recent CPUs, however, bring a new set of mechanisms. Extended page-table (EPT) switching with VM functions and memory protection keys (MPKs) provide memory isolation and invocations across boundaries of protection domains with overheads comparable to system calls. Unfortunately, neither MPKs nor EPT switching provide architectural support for isolation of privileged ring 0 kernel code, i.e., control of privileged instructions and well-defined entry points to securely restore state of the system on transition between isolated domains.Our work develops a collection of techniques for lightweight isolation of privileged kernel code. To control execution of privileged instructions, we rely on a minimal hypervisor that transparently deprivileges the system into a non-root VT-x guest. We develop a new isolation boundary that leverages extended page table (EPT) switching with the VMFUNC instruction. We define a set of invariants that allows us to isolate kernel components in the face of an intricate execution model of the kernel, e.g., provide isolation of preemptable, concurrent interrupt handlers. To minimize overheads of virtualization, we develop support for exitless interrupt delivery across isolated domains. We evaluate our

show abstract

KASLR is Dead: Long Live KASLR

Cited by 149 publications

References 12 publications

A study of hardware architecture based attacks to bypass operating system security

A study of hardware architecture based attacks to bypass operating system security

CATTmew: Defeating Software-Only Physical Kernel Isolation

Lightweight kernel isolation with virtualization and VM functions

Contact Info

Product

Resources

About