ACM Digital Library home
ACM home
Advanced Search
10.1145/2976749.2978321acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedings
research-article
Public Access

Breaking Kernel Address Space Layout Randomization with Intel TSX

Publication: CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016 Pages 380–392https://doi.org/10.1145/2976749.2978321
  • 40citation
  • 1,571
    • Downloads
Metrics
Total Citations40
Total Downloads1,571
Last 12 Months290
Last 6 weeks30
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Breaking Kernel Address Space Layout Randomization with Intel TSX
Pages 380–392
PreviousChapterNextChapter

ABSTRACT

Kernel hardening has been an important topic since many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) is the most effective and widely adopted defense mechanism that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory leak vulnerability exists and high entropy is ensured.

In this paper, we introduce a highly stable timing attack against KASLR, called DrK, that can precisely de-randomize the memory layout of the kernel without violating any such assumptions. DrK exploits a hardware feature called Intel Transactional Synchronization Extension (TSX) that is readily available in most modern commodity CPUs. One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turned this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged kernel address space. In addition to its surprising accuracy and precision, DrK is universally applicable to all OSes, even in virtualized environments, and generates no visible footprint, making it difficult to detect in practice. We demonstrated that DrK can break the KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second. Finally, we propose potential countermeasures that can effectively prevent or mitigate the DrK attack.

We urge our community to be aware of the potential threat of having Intel TSX, which is present in most recent Intel CPUs -- 100% in workstation and 60% in high-end Intel CPUs since Skylake -- and is even available on Amazon EC2 (X1).

References

  1. Anababa. What Does Transactional Synchronization Extensions (TSX) Processor Technology Mean to Vulnerability Exploits (e.g. Brute Forcing)?,. http://hypervsir.blogspot.com/2014/11/what-does-transactional-synchronization.html.Google ScholarGoogle Scholar
  2. AWS Blog. Amazon EC2 X1 Instances. https://aws.amazon.com/ec2/instance-types/x1/.Google ScholarGoogle Scholar
  3. M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, Arizona, Nov. 2014. Google ScholarGoogle Scholar
  4. M. Backes and S. Nürnberger. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, Aug. 2014. Google ScholarGoogle Scholar
  5. A. Barresi, K. Razavi, M. Payer, and T. R. Gross. CAIN: Silently breaking ASLR in the cloud. In 9th USENIX Workshop on Offensive Technologies (WOOT), Washington, D.C., Aug. 2015. Google ScholarGoogle Scholar
  6. K. Bhandari, D. R. Chakrabarti, and H.-J. Boehm. Implications of CPU caching on byte-addressable non-volatile memory programming, 2012.Google ScholarGoogle Scholar
  7. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proceedings of the 14th USENIX Security Symposium (Security), Baltimore, MD, Aug. 2005. Google ScholarGoogle Scholar
  8. D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), Denver, Colorado, Oct. 2015. Google ScholarGoogle Scholar
  9. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. Hacking Blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2014. Google ScholarGoogle Scholar
  10. E. Bosman, K. Razavi, H. Bos, and C. Giuffrida. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2016.Google ScholarGoogle Scholar
  11. K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A.-R. Sadeghi. Leakage-Resilient Layout Randomization for Mobile Devices. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016.Google ScholarGoogle Scholar
  12. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, Oct. 2010. Google ScholarGoogle Scholar
  13. R. Chen. Some remarks on VirtualAlloc and MEM_LARGE_PAGES. https://blogs.msdn.microsoft.com/oldnewthing/20110128-00/?p=11643.Google ScholarGoogle Scholar
  14. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuardTM: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Symposium (Security), Washington, DC, Aug. 2003. Google ScholarGoogle Scholar
  15. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015. Google ScholarGoogle Scholar
  16. L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2015.Google ScholarGoogle Scholar
  17. S. Esser. mach_port_kobject() and the Kernel Address Obfuscation. https://sektioneins.de/en/blog/14-12-23-mach_port_kobject.html.Google ScholarGoogle Scholar
  18. I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the Point(er): On the Effectiveness of Code Pointer Integrity. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015. Google ScholarGoogle Scholar
  19. R. Gawlik, B. Kollenda, P. Koppe, B. Garmany, and T. Holz. Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016.Google ScholarGoogle Scholar
  20. J. Gionta, W. Enck, and P. Ning. HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY), 2015. Google ScholarGoogle Scholar
  21. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Proceedings of the 21st USENIX Security Symposium (Security), Bellevue, WA, Aug. 2012. Google ScholarGoogle Scholar
  22. D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, Oct. 2016. Google ScholarGoogle Scholar
  23. L. Guan, J. Lin, B. Luo, J. Jing, and J. Wang. Protecting Private Keys against Memory Disclosure Attacks using Hardware Transactional Memory. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015. Google ScholarGoogle Scholar
  24. Henry. TLB and Pagewalk Coherence in x86 Processors. http://blog.stuffedcow.net/2015/08/pagewalk-coherence/.Google ScholarGoogle Scholar
  25. Heroku. Heroku: Cloud Application Platform. https://www.heroku.com/.Google ScholarGoogle Scholar
  26. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd My Gadgets Go? In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2012. Google ScholarGoogle Scholar
  27. R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks Against Kernel Space ASLR. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2013. Google ScholarGoogle Scholar
  28. Intel. ARK | Your Source for Intel Protect Specifications. http://ark.intel.com.Google ScholarGoogle Scholar
  29. Intel Corporation. Desktop 4th Generation Intel CoreTM Processor Family, Desktop Intel Pentium Processor Family, and Desktop Intel Celeron Processor Family, 2015.Google ScholarGoogle Scholar
  30. Intel Corporation. Intel 64 and IA-32 Architectures Developer's Manual, 2015.Google ScholarGoogle Scholar
  31. K. Johnson and M. Miller. Exploit Mitigation Improvements in Windows 8. In Black Hat USA, 2012.Google ScholarGoogle Scholar
  32. D. Keuper. XNU: a security evaluation. 2012.Google ScholarGoogle Scholar
  33. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Chicago, IL, Dec. 2006. Google ScholarGoogle Scholar
  34. A. Kleen. Lock elision in the GNU C library, 2013. https://lwn.net/Articles/534758/.Google ScholarGoogle Scholar
  35. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In Proceedings of the 11th Symposium on Operating Systems Design and Implementation (OSDI), Broomfield, Colorado, Oct. 2014. Google ScholarGoogle Scholar
  36. V. Leis, A. Kemper, and T. Neumann. Exploiting Hardware Transactional Memory in Main-Memory Databases. In Proceedings of the 30th IEEE International Conference on Data Engineering Workshop, Chicago, IL, Mar.-Apr. 2014.Google ScholarGoogle Scholar
  37. Y. Liu, Y. Xia, H. Guan, B. Zang, and H. Chen. Concurrent and Consistent Virtual Machine Introspection with Hardware Transactional Memory. In Proceedings of the 20th IEEE Symposium on High Performance Computer Architecture (HPCA), Orlando, FL, USA, Feb. 2014.Google ScholarGoogle Scholar
  38. K. Lu, S. Nurnberger, M. Backes, and W. Lee. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016.Google ScholarGoogle Scholar
  39. K. Lu, C. Song, B. Lee, S. P. Chung, T. Kim, and W. Lee. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), Denver, Colorado, Oct. 2015. Google ScholarGoogle Scholar
  40. MITRE Corporation. CVE-2015-1097. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1097.Google ScholarGoogle Scholar
  41. MITRE Corporation. CVE-2015-1674. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1674.Google ScholarGoogle Scholar
  42. MITRE Corporation. CVE-2015-8569. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8569.Google ScholarGoogle Scholar
  43. MITRE Corporation. CVE-2016-0175. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0175.Google ScholarGoogle Scholar
  44. NES CONSEIL. Bypassing Windows 7 Kernel ASLR. https://dl.packetstormsecurity.net/papers/bypass/NES-BypassWin7KernelAslr.pdf.Google ScholarGoogle Scholar
  45. Oracle. Java Platform, Standard Edition Tools Reference. https://docs.oracle.com/javase/8/docs/technotes/tools/unix/java.html.Google ScholarGoogle Scholar
  46. Oracle. Oracle VM Performance and Tuning - Part 5. https://blogs.oracle.com/jsavit/entry/oracle_vm_performance_and_tuning4.Google ScholarGoogle Scholar
  47. V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2012. Google ScholarGoogle Scholar
  48. PaX Team. PaX address space layout randomization (ASLR), 2003. https://pax.grsecurity.net/docs/aslr.txt.Google ScholarGoogle Scholar
  49. L. Rappoport, C. Koren, F. Sala, O. Lempel, I. Ouziel, I. Kim, R. Gabor, L. Libis, and G. Pribush. Method and Apparatus for Pipeline Inclusion and Instruction Restarts in a Micro-op Cache of a Processor, June 2010. US Patent App. 12/317,959.Google ScholarGoogle Scholar
  50. F. J. Serna. The info leak era on software exploitation. In Blackhat USA, 2012.Google ScholarGoogle Scholar
  51. H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, Oct.-Nov. 2007. Google ScholarGoogle Scholar
  52. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS), Washington, DC, Oct. 2004. Google ScholarGoogle Scholar
  53. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2013. Google ScholarGoogle Scholar
  54. C. Song, B. Lee, K. Lu, W. R. Harris, T. Kim, and W. Lee. Enforcing Kernel Security Invariants with Data Flow Integrity. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016.Google ScholarGoogle Scholar
  55. R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the Memory Secrecy Assumption. In Proceedings of the Second European Workshop on System Security (EUROSEC), 2009. Google ScholarGoogle Scholar
  56. A. Tang, S. Sethumadhavan, and S. Stolfo. Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), Denver, Colorado, Oct. 2015. Google ScholarGoogle Scholar
  57. The Linux Kernel Archives. Huge Pages. https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt.Google ScholarGoogle Scholar
  58. Z. Wang, H. Qian, J. Li, and H. Chen. Using Restricted Transactional Memory to Build a Scalable In-Memory Database. In Proceedings of the ACM EuroSys Conference, Amsterdam, The Netherlands, Apr. 2014. Google ScholarGoogle Scholar
  59. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, Oct. 2012. Google ScholarGoogle Scholar
  60. V. Weaver. Linux perf event Features and Overhead, 2013. http://researcher.watson.ibm.com/researcher/files/us-ajvega/FastPath_Weaver_Talk.pdf.Google ScholarGoogle Scholar
  61. X. Wei, J. Shi, Y. Chen, R. Chen, and H. Chen. Fast In-memory Transaction Processing using RDMA and HTM. In Proceedings of the 25th ACM Symposium on Operating Systems Principles (SOSP), Monterey, CA, Oct. 2015. Google ScholarGoogle Scholar
  62. Wikiwand. Address space layout randomization. http://www.wikiwand.com/en/Address_space_layout_randomization.Google ScholarGoogle Scholar
  63. Windows Dev Center. Creating a File Mapping Using Large Pages. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366543(v=vs.85).aspx.Google ScholarGoogle Scholar
  64. R. Wojtczuk. TSX Improves Timing Attacks Against KASLR. https://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/.Google ScholarGoogle Scholar

Index Terms

  1. Breaking Kernel Address Space Layout Randomization with Intel TSX

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    Get this Publication

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    View Table of Contents
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!