Advertisement

LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

  • David Gens
  • Orlando Arias
  • Dean Sullivan
  • Christopher Liebchen
  • Yier Jin
  • Ahmad-Reza Sadeghi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)

Abstract

Kernel exploits are commonly used for privilege escalation to take full control over a system, e.g., by means of code-reuse attacks. For this reason modern kernels are hardened with kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can exploit unprivileged instructions to collect timing information through side channels in the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software.

In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and therefore, is highly practical.

Keywords

KASLR Code-reuse attacks Randomization Side channels 

Notes

Acknowledgment

This work was supported in part by the German Science Foundation (project S2, CRC 1119 CROSSING), the European Union’s Seventh Framework Programme (609611, PRACTICE), and the German Federal Ministry of Education and Research within CRISP.

Dean Sullivan, Orlando Arias, and Yier Jin are partially supported by the Department of Energy through the Early Career Award (DE-SC0016180). Mr. Orlando Arias is also supported by the National Science Foundation Graduate Research Fellowship Program under Grant No. 1144246.

Supplementary material

440190_1_En_11_MOESM1_ESM.txt (1 kb)
Supplementary material 1 (txt 1 KB)

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security 13 (2009)Google Scholar
  2. 2.
    Cook, K.: Kernel address space layout randomization (2013). http://selinuxproject.org/~jmorris/lss2013_slides/cook_kaslr.pdf
  3. 3.
    Criswell, J., Dautenhahn, N., Adve, V.: Kcofi: complete control-flow integrity for commodity operating system kernels. In: 35th IEEE Symposium on Security and Privacy. S&P (2014)Google Scholar
  4. 4.
    CVEDetails: CVE-2016-4557 (2016). http://www.cvedetails.com/cve/cve-2016-4557
  5. 5.
    Davi, L., Gens, D., Liebchen, C., Ahmad-Reza, S.: PT-Rand: practical mitigation of data-only attacks against page tables. In: 24th Annual Network and Distributed System Security Symposium. NDSS (2017)Google Scholar
  6. 6.
    Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over aslr: attacking branch predictors to bypass aslr. In: IEEE/ACM International Symposium on Microarchitecture (MICRO) (2016)Google Scholar
  7. 7.
    Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: Kaslr is dead: long live kaslr. In: International Symposium on Engineering Secure Software and Systems. ESSoS (2017)Google Scholar
  8. 8.
    Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing smap and kernel aslr. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 368–379. ACM (2016)Google Scholar
  9. 9.
    Henning, J.L.: Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News 34(4), 1–17 (2006). http://doi.acm.org/10.1145/1186736.1186737 CrossRefGoogle Scholar
  10. 10.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 34th IEEE Symposium on Security and Privacy. S&P (2013)Google Scholar
  11. 11.
    Inc., A.: Os x mountain lion core technologies overview (2012). http://movies.apple.com/media/us/osx/2012/docs/OSX_MountainLion_Core_Technologies_Overview.pdf
  12. 12.
    Intel: Intel 64 and IA-32 architectures software developer’s manual (2017). http://www-ssl.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html
  13. 13.
    Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 380–392. ACM (2016)Google Scholar
  14. 14.
    Johnson, K., Miller, M.: Exploit mitigation improvements in windows 8 (2012). https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
  15. 15.
    Larabel, M., Tippett, M.: Phoronix test suite (2011). http://www.phoronix-test-suite.com
  16. 16.
    Mandt, T.: Attacking the ios kernel: a look at “evasi0n”(2013). http://www.nislab.no/content/download/38610/481190/file/NISlecture201303.pdf
  17. 17.
  18. 18.
  19. 19.
  20. 20.
    Molinyawe, M., Hariri, A.A., Spelman, J.: $hell on earth: from browser to system compromise. In: Blackhat USA. BH US (2016)Google Scholar
  21. 21.
    PaX Team: RAP: RIP ROP (2015)Google Scholar
  22. 22.
    Staelin, C.: lmbench: an extensible micro-benchmark suite. Softw. Pract. Experience 35(11), 1079 (2005)CrossRefGoogle Scholar
  23. 23.
    Wojtczuk, R.: Tsx improves timing attacks against kaslr (2014). https://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • David Gens
    • 1
  • Orlando Arias
    • 2
  • Dean Sullivan
    • 2
  • Christopher Liebchen
    • 1
  • Yier Jin
    • 2
  • Ahmad-Reza Sadeghi
    • 1
  1. 1.CYSEC/Technische Universität DarmstadtDarmstadtGermany
  2. 2.University of Central FloridaOrlandoUSA

Personalised recommendations