Skip to main content

A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2021)


In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to break the KASLR and reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep Intel’s User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, we demonstrate that a combination of this method with a call-gate mechanism (available in modern processors) in a chain of events will eventually lead to a system compromise despite the restrictions of a super-secure sandbox in the presence of Windows’s proprietary Virtualization Based Security (VBS). Finally, we suggest software-based mitigation to avoid these issues with an acceptable overhead cost.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


  1. Devices, A.M.: AMD64 architecture programmer’s manual volume 2: system programming (2006)

    Google Scholar 

  2. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)

    Article  Google Scholar 

  3. Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 955–972 (2018)

    Google Scholar 

  4. Gruss, D., Hansen, D., Gregg, B.: Kernel isolation: from an academic idea to an efficient patch for every computer. login: USENIX Mag. 43(4), 10–14 (2018)

    Google Scholar 

  5. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 161–176. Springer, Cham (2017).

    Chapter  Google Scholar 

  6. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 3C: Chapter 24, Virtual Machine Control Structures (Table 24–6. Definitions of Primary Processor-Based VM-Execution Controls) 3C (2019)

    Google Scholar 

  7. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 4: Chapter 2, Model-Specific Registers (MSRS) (Table 2–2. IA-32 Architectural MSRs) 4 (2019)

    Google Scholar 

  8. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 3A: Chapter 1, System Architecture Overview, Time Stamp Disable, 3A (2019)

    Google Scholar 

  9. Hajihassani, O., Monfared, S.K., Khasteh, S.H., Gorgin, S.: Fast AES implementation: a high-throughput bitsliced approach. IEEE Trans. Parallel Distrib. Syst. 30(10), 2211–2222 (2019)

    Article  Google Scholar 

  10. Intel: Intel virtualization technology flexmigration application note (2012).

  11. Ionescu, A.: Blog post (2018).

  12. Jurczyk, M., Coldwind, G.: GDT and LDT in windows kernel vulnerability exploitation (2010)

    Google Scholar 

  13. Karvandi, S.: Call gates’ ring transitioning in IA-32 mode (2019).

  14. Karvandi, S.: Hypervisor from scratch - part 6: virtualizing an already running system (2019).

  15. Kiarostami, M.S., Reza Daneshvaramoli, M., Monfared, S.K., Rahmati, D., Gorgin, S.: Multi-agent non-overlapping pathfinding with Monte-Carlo Tree search. In: 2019 IEEE Conference on Games (CoG), pp. 1–4 (2019)

    Google Scholar 

  16. Kim, T., Kim, T., Shin, Y.: Breaking KASLR using memory deduplication in virtualized environments. Electronics 10(17), 2174 (2021)

    Article  Google Scholar 

  17. Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. In: ACM SIGARCH Computer Architecture News, vol. 42, pp. 361–372. IEEE Press (2014)

    Google Scholar 

  18. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)

  19. Koschel, J., Giuffrida, C., Bos, H., Razavi, K.: TagBleed: breaking Kaslr on the isolated kernel address space using tagged TLBs. In: 2020 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 309–321. IEEE (2020)

    Google Scholar 

  20. Kurth, M., Gras, B., Andriesse, D., Giuffrida, C., Bos, H., Razavi, K.: NetCAT: practical cache attacks from the network. In: S&P, May 2020. Intel Bounty Reward

  21. Lewis, P.: Using a call gate to prevent secure sandbox leakage, uS Patent 8,528,083, 3 September 2013

    Google Scholar 

  22. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 973–990 (2018)

    Google Scholar 

  23. Microsoft Security Response Center: Kva shadow: mitigating meltdown on windows (2018).

  24. Minkin, M., et al.: Fallout: reading Kernel writes from user space. arXiv preprint arXiv:1905.12701 (2019)

  25. MITRE: Cwe-123: Write-what-where condition (2019).

  26. Monfared, S.K., Hajihassani, O., Kiarostami, M.S., Zanjani, S.M., Rahmati, D., Gorgin, S.: BSRNG: a high throughput parallel bitsliced approach for random number generators. In: 49th International Conference on Parallel Processing-ICPP: Workshops, pp. 1–10 (2020)

    Google Scholar 

  27. Oliverio, M., Razavi, K., Bos, H., Giuffrida, C.: Secure page fusion with VUsion. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 531-545 (2017).

  28. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006).

    Chapter  Google Scholar 

  29. Schwarz, M., et al.: ZombieLoad: cross-privilege-boundary data sampling. arXiv preprint arXiv:1905.05726 (2019)

  30. Schwarz, M., Maurice, C., Gruss, D., Mangard, S.: Fantastic timers and where to find them: high-resolution microarchitectural attacks in JavaScript. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 247–267. Springer, Cham (2017).

    Chapter  Google Scholar 

  31. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017).

    Chapter  Google Scholar 

  32. Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat 15 (2015)

    Google Scholar 

  33. Stecklina, J., Prescher, T.: LazyFP: leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)

  34. Van Schaik, S., Giuffrida, C., Bos, H., Razavi, K.: Malicious management unit: Why stopping cache attacks in software is harder than you think. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 937–954 (2018)

    Google Scholar 

  35. Weisse, O., et al.: Foreshadow-NG: breaking the virtual memory abstraction with transient out-of-order execution (2018)

    Google Scholar 

  36. Wiki, O.D.: Sysenter (2017).

  37. Yarom, Y., Falkner, K.: Flush + reload: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Dara Rahmati .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Karvandi, M.S., Khalaj Monfared, S., Kiarostami, M.S., Rahmati, D., Gorgin, S. (2022). A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-02066-7

  • Online ISBN: 978-3-031-02067-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics