KASLR is Dead: Long Live KASLR

  • Daniel GrussEmail author
  • Moritz Lipp
  • Michael Schwarz
  • Richard Fellner
  • Clémentine Maurice
  • Stefan Mangard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10379)


Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information. Strictly splitting kernel space and user space has recently been proposed as a theoretical concept to close these side channels. However, this is not trivially possible due to architectural restrictions of the x86 platform.

In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode. We show that KAISER protects against double page fault attacks, prefetch side-channel attacks, and TSX-based side-channel attacks. Finally, we demonstrate that KAISER has a runtime overhead of only \(0.28\%\).



We would like to thank our anonymous reviewers, Anders Fogh, Rodrigo Branco, Richard Weinbeger, Thomas Garnier, David Gens and Mark Rutland for their valuable feedback. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402). This work was partially supported by the TU Graz LEAD project “Dependable Internet of Things in Adverse Environments”. Open image in new window


  1. 1.
    Bienia, C.: Benchmarking Modern Multiprocessors. Ph.D. thesis, Princeton University, January 2011Google Scholar
  2. 2.
    Branco, R., Gueron, S.: Blinded random corruption attacks. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST 2016) (2016)Google Scholar
  3. 3.
    Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over ASLR: attacking branch predictors to bypass ASLR. In: International Symposium on Microarchitecture (MICRO 2016) (2016)Google Scholar
  4. 4.
    Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS 2017 (2017)Google Scholar
  5. 5.
    Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016). doi: 10.1007/978-3-319-40667-1_15 Google Scholar
  6. 6.
    Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing SMAP and kernel ASLR. In: CCS 2016 (2016)Google Scholar
  7. 7.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: S&P 2013 (2013)Google Scholar
  8. 8.
    Intel: Intel® 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide 253665 (2014)Google Scholar
  9. 9.
    Jang, Y.: The DrK Attack - Proof of concept (2016). Accessed 24 Feb 2017
  10. 10.
    Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: CCS 2016 (2016)Google Scholar
  11. 11.
    Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: ret2dir: rethinking kernel isolation. In: USENIX Security Symposium, pp. 957–972 (2014)Google Scholar
  12. 12.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)Google Scholar
  13. 13.
    Shutemov, K.A.: Pagemap: Do Not Leak Physical Addresses to Non-Privileged Userspace. Accessed 10 Nov 2015
  14. 14.
    Levin, J.: Mac OS X and IOS Internals: To the Apple’s Core. Wiley (2012)Google Scholar
  15. 15.
    Maurice, C., Weber, M., Schwarz, M., Giner, L., Gruss, D., Boano, C.A., Mangard, S., Römer, K.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS 2017 (2017, to appear)Google Scholar
  16. 16.
    PARSEC Group: A Memo on Exploration of SPLASH-2 Input Sets (2011).
  17. 17.
    PaX Team: Address space layout randomization (ASLR) (2003).
  18. 18.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: USENIX Security Symposium (2016)Google Scholar
  19. 19.
    Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education (2012)Google Scholar
  20. 20.
    Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat 2015 Briefings (2015)Google Scholar
  21. 21.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: 14th ACM CCS (2007)Google Scholar
  22. 22.
    Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS 2004 (2004)Google Scholar
  23. 23.
    Solar Designer: Getting around non-executable stack (and fix), August 1997.
  24. 24.
    The PostgreSQL Global Development Group: pgbench (2016).
  25. 25.
    Venkatasubramanian, G., Figueiredo, R.J., Illikkal, R., Newell, D.: TMT: a TLB tag management framework for virtualized platforms. Int. J. Parallel Program. 40(3), 353–380 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Daniel Gruss
    • 1
    Email author
  • Moritz Lipp
    • 1
  • Michael Schwarz
    • 1
  • Richard Fellner
    • 1
  • Clémentine Maurice
    • 1
  • Stefan Mangard
    • 1
  1. 1.Graz University of TechnologyGrazAustria

Personalised recommendations