Skip to main content
SpringerLink
Log in

KASLR is Dead: Long Live KASLR

  • Conference paper
  • First Online:
Engineering Secure Software and Systems (ESSoS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10379))

Included in the following conference series:

Abstract

Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information. Strictly splitting kernel space and user space has recently been proposed as a theoretical concept to close these side channels. However, this is not trivially possible due to architectural restrictions of the x86 platform.

In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode. We show that KAISER protects against double page fault attacks, prefetch side-channel attacks, and TSX-based side-channel attacks. Finally, we demonstrate that KAISER has a runtime overhead of only \(0.28\%\).

The stamp on the top of this paper refers to an approval process conducted by the ESSoS artifact evaluation committee chaired by Karim Ali and Omer Tripp.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The list of authors for “Prefetch Side-Channel Attacks” by Gruss et al. [6] and this paper overlaps.

  2. 2.

    We are preparing a submission of our patches into the Linux kernel upstream. The source code and the Debian package compatible with Ubuntu 16.10 can be found at https://github.com/IAIK/KAISER.

  3. 3.

    Kernel Address Isolation to have Side channels Efficiently Removed.

References

  1. Bienia, C.: Benchmarking Modern Multiprocessors. Ph.D. thesis, Princeton University, January 2011

    Google Scholar 

  2. Branco, R., Gueron, S.: Blinded random corruption attacks. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST 2016) (2016)

    Google Scholar 

  3. Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over ASLR: attacking branch predictors to bypass ASLR. In: International Symposium on Microarchitecture (MICRO 2016) (2016)

    Google Scholar 

  4. Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS 2017 (2017)

    Google Scholar 

  5. Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_15

    Google Scholar 

  6. Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing SMAP and kernel ASLR. In: CCS 2016 (2016)

    Google Scholar 

  7. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: S&P 2013 (2013)

    Google Scholar 

  8. Intel: Intel® 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide 253665 (2014)

    Google Scholar 

  9. Jang, Y.: The DrK Attack - Proof of concept (2016). https://github.com/sslab-gatech/DrK. Accessed 24 Feb 2017

  10. Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: CCS 2016 (2016)

    Google Scholar 

  11. Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: ret2dir: rethinking kernel isolation. In: USENIX Security Symposium, pp. 957–972 (2014)

    Google Scholar 

  12. Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)

    Google Scholar 

  13. Shutemov, K.A.: Pagemap: Do Not Leak Physical Addresses to Non-Privileged Userspace. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce. Accessed 10 Nov 2015

  14. Levin, J.: Mac OS X and IOS Internals: To the Apple’s Core. Wiley (2012)

    Google Scholar 

  15. Maurice, C., Weber, M., Schwarz, M., Giner, L., Gruss, D., Boano, C.A., Mangard, S., Römer, K.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS 2017 (2017, to appear)

    Google Scholar 

  16. PARSEC Group: A Memo on Exploration of SPLASH-2 Input Sets (2011). http://parsec.cs.princeton.edu

  17. PaX Team: Address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt

  18. Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: USENIX Security Symposium (2016)

    Google Scholar 

  19. Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education (2012)

    Google Scholar 

  20. Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat 2015 Briefings (2015)

    Google Scholar 

  21. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: 14th ACM CCS (2007)

    Google Scholar 

  22. Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS 2004 (2004)

    Google Scholar 

  23. Solar Designer: Getting around non-executable stack (and fix), August 1997. http://seclists.org/bugtraq/1997/Aug/63

  24. The PostgreSQL Global Development Group: pgbench (2016). https://www.postgresql.org/docs/9.6/static/pgbench.html

  25. Venkatasubramanian, G., Figueiredo, R.J., Illikkal, R., Newell, D.: TMT: a TLB tag management framework for virtualized platforms. Int. J. Parallel Program. 40(3), 353–380 (2012)

    Article  Google Scholar 

Download references

Acknowledgments

We would like to thank our anonymous reviewers, Anders Fogh, Rodrigo Branco, Richard Weinbeger, Thomas Garnier, David Gens and Mark Rutland for their valuable feedback. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402). This work was partially supported by the TU Graz LEAD project “Dependable Internet of Things in Adverse Environments”.

Author information

Authors and Affiliations

  1. Graz University of Technology, Graz, Austria

    Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice & Stefan Mangard

Authors
  1. Daniel Gruss
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Moritz Lipp
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Schwarz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Richard Fellner
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Clémentine Maurice
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Stefan Mangard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Gruss .

Editor information

Editors and Affiliations

  1. University of Paderborn, Paderborn, Germany

    Eric Bodden

  2. Purdue University, West Lafayette, USA

    Mathias Payer

  3. University of Cyprus, Nicosia, Cyprus

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S. (2017). KASLR is Dead: Long Live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-62105-0_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-62104-3

  • Online ISBN: 978-3-319-62105-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation