Practical Timing Side Channel Attacks against Kernel Space ASLR

Hund, Ralf; Willems, Carsten; Holz, Thorsten

doi:10.1109/sp.2013.23

Cited by 309 publications

(202 citation statements)

References 25 publications

Supporting

Mentioning

179

Contrasting

Order By: Relevance

“…However, this does not reveal the randomized VA of the re-mapped stack and thus cannot be used to launch attacks. Finally, because AArch64 TLB does not hold a TLB entry on both translation error and access flag error [7], TLB-based side channel attacks [29] are also not feasible.…”

Section: Kernel Stack Randomizationmentioning

confidence: 99%

Enforcing Kernel Security Invariants with Data Flow Integrity

Song¹,

Lee²,

Lu³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The operation system kernel is the foundation of the whole system and is often the de facto trusted computing base for many higher level security mechanisms. Unfortunately, kernel vulnerabilities are not rare and are continuously being introduced with new kernel features. Once the kernel is compromised, attackers can bypass any access control checks, escalate their privileges, and hide the evidence of attacks. Many protection mechanisms have been proposed and deployed to prevent kernel exploits. However, a majority of these techniques only focus on preventing control-flow hijacking attacks; techniques that can mitigate noncontrol-data attacks either only apply to drivers/modules or impose too much overhead. The goal of our research is to develop a principled defense mechanism against memory-corruption-based privilege escalation attacks. Toward this end, we leverage dataflow integrity to enforce security invariants of the kernel access control system. In order for our protection mechanism to be practical, we develop two new techniques: one for automatically inferring data that are critical to the access control system without manual annotation, and the other for efficient DFI enforcement over the inference results. We have implemented a prototype of our technology for the ARM64 Linux kernel on an Android device. The evaluation results of our prototype implementation show that our technology can mitigate a majority of privilege escalation attacks, while imposing a moderate amount of performance overhead.

show abstract

Section: Kernel Stack Randomizationmentioning

confidence: 99%

Enforcing Kernel Security Invariants with Data Flow Integrity

Song¹,

Lee²,

Lu³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Naturally, the evasion efforts in various types of OSes so far have all focused on defeating the protection by either stealing the secretive memory layout information through information leaks and side channels [25], or brute forcing on those platforms that cannot randomize memory allocations with enough entropy [39]. However, either direction is by no means easy to pursue; exploitable vulnerabilities that leak memory address information are fairly hard to come by, and a single failure on brute force attempts often results in an application crash that is easily detectable by users.…”

Section: Exploiting Android's Aslrmentioning

confidence: 99%

“…Researchers also explored interesting ways to estimate target addresses for attacks by using cache or hash collision, both in the OS kernel [25] and in web browsers [2]. However, we believe ASLR-enabled systems raise a high bar for attackers to compromise servers [47] and mobile devices, which encounter attacks via small sets of interfaces like HTTP or media streaming.…”

Section: Related Workmentioning

confidence: 99%

From Zygote to Morula: Fortifying Weakened ASLR on Android

Lee

Wang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-There have been many research efforts to secure Android applications and the high-level system mechanisms. The low-level operating system designs have been overlooked partially due to the belief that security issues at this level are similar to those on Linux, which are well-studied. However, we identify that certain Android modifications are at odds with security and result in serious vulnerabilities that need to be addressed immediately.In this paper, we analyze the Zygote process creation model, an Android operating system design for speeding up application launches. Zygote weakens Address Space Layout Randomization (ASLR) because all application processes are created with largely identical memory layouts. We design both remote and local attacks capable of bypassing the weakened ASLR and executing return-oriented programming on Android. We demonstrate the attacks using real applications, such as the Chrome Browser and VLC Media Player. Further, we design and implement Morula, a secure replacement for Zygote. Morula introduces a small amount of code to the Android operating system and can be easily adopted by device vendors. Our evaluation shows that, compared to Zygote, Morula incurs a 13 MB memory increase for each running application but allows each Android process to have an individually randomized memory layout and even a slightly shorter average launch time.

show abstract

“…Thereby, we currently mitigate this problem by making sure that in our experiments the amount of prefetched memory is far less than the available cache (6 MiB). Self-evictions are also a minor concern since our platform uses an Intel SmartCache which does not perform a direct mapping from physical addresses to cache lines [10]. The cache is trashed before any measurement is taken in order to perform a worst-case oriented analysis.…”

Section: A Testbed Setupmentioning

confidence: 99%

Light-PREM: Automated software refactoring for predictable execution on COTS embedded systems

Mancuso

Dudko

Caccamo

2014

2014 IEEE 20th International Conference on Embedded and Real-Time Computing Systems and Applications

View full text Add to dashboard Cite

Abstract-As real-time embedded systems become more complex, there is the need to build them using high performance commercial off-the-shelf (COTS) components. However, tasks can exhibit hard to predict worst case execution times (WCET) when executing on commodity hardware, due to contention among shared physical resources. Past work has introduced the PRedictable Execution Model (PREM) [1] to solve this issue, but unfortunately, the time required to manually refactor existing code according to this model is too high. Light-PREM proposes a novel technique that automates the refactoring process needed to convert legacy software applications to PREM-compliant code. The advantage of Light-PREM is twofold. On one side, it makes the adoption of PREM more attractive from an industrial point of view, because it significantly reduces the amount of work that is needed to generate PREM-compliant code. On the other hand, the proposed methodology is general enough to be used with any embedded software design. Experimental results show that Light-PREM significantly improves the predictability of real-time applications without requiring software engineers to gain a deep understanding about software memory usage.

show abstract

Practical Timing Side Channel Attacks against Kernel Space ASLR

Cited by 309 publications

References 25 publications

Enforcing Kernel Security Invariants with Data Flow Integrity

Enforcing Kernel Security Invariants with Data Flow Integrity

From Zygote to Morula: Fortifying Weakened ASLR on Android

Light-PREM: Automated software refactoring for predictable execution on COTS embedded systems

Contact Info

Product

Resources

About