Skip to main content
SpringerLink
Log in

A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13204))

Included in the following conference series:

Abstract

In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to break the KASLR and reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep Intel’s User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, we demonstrate that a combination of this method with a call-gate mechanism (available in modern processors) in a chain of events will eventually lead to a system compromise despite the restrictions of a super-secure sandbox in the presence of Windows’s proprietary Virtualization Based Security (VBS). Finally, we suggest software-based mitigation to avoid these issues with an acceptable overhead cost.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Devices, A.M.: AMD64 architecture programmer’s manual volume 2: system programming (2006)

    Google Scholar 

  2. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)

    Article  Google Scholar 

  3. Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 955–972 (2018)

    Google Scholar 

  4. Gruss, D., Hansen, D., Gregg, B.: Kernel isolation: from an academic idea to an efficient patch for every computer. login: USENIX Mag. 43(4), 10–14 (2018)

    Google Scholar 

  5. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_11

    Chapter  Google Scholar 

  6. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 3C: Chapter 24, Virtual Machine Control Structures (Table 24–6. Definitions of Primary Processor-Based VM-Execution Controls) 3C (2019)

    Google Scholar 

  7. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 4: Chapter 2, Model-Specific Registers (MSRS) (Table 2–2. IA-32 Architectural MSRs) 4 (2019)

    Google Scholar 

  8. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 3A: Chapter 1, System Architecture Overview, Time Stamp Disable, 3A (2019)

    Google Scholar 

  9. Hajihassani, O., Monfared, S.K., Khasteh, S.H., Gorgin, S.: Fast AES implementation: a high-throughput bitsliced approach. IEEE Trans. Parallel Distrib. Syst. 30(10), 2211–2222 (2019)

    Article  Google Scholar 

  10. Intel: Intel virtualization technology flexmigration application note (2012). https://www.intel.com/content/dam/www/public/us/en/documents/application-notes/virtualization-technology-flexmigration-application-note.pdf

  11. Ionescu, A.: Blog post (2018). http://www.alex-ionescu.com/?p=340

  12. Jurczyk, M., Coldwind, G.: GDT and LDT in windows kernel vulnerability exploitation (2010)

    Google Scholar 

  13. Karvandi, S.: Call gates’ ring transitioning in IA-32 mode (2019). https://rayanfam.com/topics/call-gates-ring-transitioning-in-ia-32-mode/

  14. Karvandi, S.: Hypervisor from scratch - part 6: virtualizing an already running system (2019). https://rayanfam.com/topics/hypervisor-from-scratch-part-6/

  15. Kiarostami, M.S., Reza Daneshvaramoli, M., Monfared, S.K., Rahmati, D., Gorgin, S.: Multi-agent non-overlapping pathfinding with Monte-Carlo Tree search. In: 2019 IEEE Conference on Games (CoG), pp. 1–4 (2019)

    Google Scholar 

  16. Kim, T., Kim, T., Shin, Y.: Breaking KASLR using memory deduplication in virtualized environments. Electronics 10(17), 2174 (2021)

    Article  Google Scholar 

  17. Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. In: ACM SIGARCH Computer Architecture News, vol. 42, pp. 361–372. IEEE Press (2014)

    Google Scholar 

  18. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)

  19. Koschel, J., Giuffrida, C., Bos, H., Razavi, K.: TagBleed: breaking Kaslr on the isolated kernel address space using tagged TLBs. In: 2020 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 309–321. IEEE (2020)

    Google Scholar 

  20. Kurth, M., Gras, B., Andriesse, D., Giuffrida, C., Bos, H., Razavi, K.: NetCAT: practical cache attacks from the network. In: S&P, May 2020. https://www.vusec.net/download/?t=papers/netcat_sp20.pdf. Intel Bounty Reward

  21. Lewis, P.: Using a call gate to prevent secure sandbox leakage, uS Patent 8,528,083, 3 September 2013

    Google Scholar 

  22. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 973–990 (2018)

    Google Scholar 

  23. Microsoft Security Response Center: Kva shadow: mitigating meltdown on windows (2018). https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

  24. Minkin, M., et al.: Fallout: reading Kernel writes from user space. arXiv preprint arXiv:1905.12701 (2019)

  25. MITRE: Cwe-123: Write-what-where condition (2019). https://cwe.mitre.org/data/definitions/123.html

  26. Monfared, S.K., Hajihassani, O., Kiarostami, M.S., Zanjani, S.M., Rahmati, D., Gorgin, S.: BSRNG: a high throughput parallel bitsliced approach for random number generators. In: 49th International Conference on Parallel Processing-ICPP: Workshops, pp. 1–10 (2020)

    Google Scholar 

  27. Oliverio, M., Razavi, K., Bos, H., Giuffrida, C.: Secure page fusion with VUsion. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 531-545 (2017). https://www.vusec.net/projects/vusion

  28. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1

    Chapter  Google Scholar 

  29. Schwarz, M., et al.: ZombieLoad: cross-privilege-boundary data sampling. arXiv preprint arXiv:1905.05726 (2019)

  30. Schwarz, M., Maurice, C., Gruss, D., Mangard, S.: Fantastic timers and where to find them: high-resolution microarchitectural attacks in JavaScript. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 247–267. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_13

    Chapter  Google Scholar 

  31. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_1

    Chapter  Google Scholar 

  32. Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat 15 (2015)

    Google Scholar 

  33. Stecklina, J., Prescher, T.: LazyFP: leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)

  34. Van Schaik, S., Giuffrida, C., Bos, H., Razavi, K.: Malicious management unit: Why stopping cache attacks in software is harder than you think. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 937–954 (2018)

    Google Scholar 

  35. Weisse, O., et al.: Foreshadow-NG: breaking the virtual memory abstraction with transient out-of-order execution (2018)

    Google Scholar 

  36. Wiki, O.D.: Sysenter (2017). https://wiki.osdev.org/SYSENTER

  37. Yarom, Y., Falkner, K.: Flush + reload: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran

    Mohammad Sina Karvandi & Saleh Khalaj Monfared

  2. Center for Ubiquitous Computing, Faculty of ITEE, University of Oulu, Oulu, Finland

    Mohammad Sina Kiarostami

  3. Computer Science and engineering Department, Shahid Beheshti University, Tehran, Iran

    Dara Rahmati

  4. Iranian Research Organization for Science and Technology (IROST), Tehran, Iran

    Saeid Gorgin

Authors
  1. Mohammad Sina Karvandi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saleh Khalaj Monfared
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad Sina Kiarostami
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dara Rahmati
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Saeid Gorgin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dara Rahmati .

Editor information

Editors and Affiliations

  1. University of Kansas, Lawrence, KS, USA

    Bo Luo

  2. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  3. Polytechnique Montréal, Montréal, QC, Canada

    Frédéric Cuppens

  4. Iowa State University, Iowa Ciy, IA, USA

    Lotfi Ben Othmane

  5. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  6. University of Sfax, Sfax, Tunisia

    Slim Kallel

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Karvandi, M.S., Khalaj Monfared, S., Kiarostami, M.S., Rahmati, D., Gorgin, S. (2022). A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham. https://doi.org/10.1007/978-3-031-02067-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-02067-4_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-02066-7

  • Online ISBN: 978-3-031-02067-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation