LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)


Kernel exploits are commonly used for privilege escalation to take full control over a system, e.g., by means of code-reuse attacks. For this reason modern kernels are hardened with kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can exploit unprivileged instructions to collect timing information through side channels in the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software.

In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and therefore, is highly practical.


KASLR Code-reuse attacks Randomization Side channels 



This work was supported in part by the German Science Foundation (project S2, CRC 1119 CROSSING), the European Union’s Seventh Framework Programme (609611, PRACTICE), and the German Federal Ministry of Education and Research within CRISP.

Dean Sullivan, Orlando Arias, and Yier Jin are partially supported by the Department of Energy through the Early Career Award (DE-SC0016180). Mr. Orlando Arias is also supported by the National Science Foundation Graduate Research Fellowship Program under Grant No. 1144246.

Supplementary material

440190_1_En_11_MOESM1_ESM.txt (1 kb)
Supplementary material 1 (txt 1 KB)


  1. 1.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security 13 (2009)Google Scholar
  2. 2.
    Cook, K.: Kernel address space layout randomization (2013).
  3. 3.
    Criswell, J., Dautenhahn, N., Adve, V.: Kcofi: complete control-flow integrity for commodity operating system kernels. In: 35th IEEE Symposium on Security and Privacy. S&P (2014)Google Scholar
  4. 4.
    CVEDetails: CVE-2016-4557 (2016).
  5. 5.
    Davi, L., Gens, D., Liebchen, C., Ahmad-Reza, S.: PT-Rand: practical mitigation of data-only attacks against page tables. In: 24th Annual Network and Distributed System Security Symposium. NDSS (2017)Google Scholar
  6. 6.
    Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over aslr: attacking branch predictors to bypass aslr. In: IEEE/ACM International Symposium on Microarchitecture (MICRO) (2016)Google Scholar
  7. 7.
    Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: Kaslr is dead: long live kaslr. In: International Symposium on Engineering Secure Software and Systems. ESSoS (2017)Google Scholar
  8. 8.
    Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing smap and kernel aslr. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 368–379. ACM (2016)Google Scholar
  9. 9.
    Henning, J.L.: Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News 34(4), 1–17 (2006). CrossRefGoogle Scholar
  10. 10.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 34th IEEE Symposium on Security and Privacy. S&P (2013)Google Scholar
  11. 11.
    Inc., A.: Os x mountain lion core technologies overview (2012).
  12. 12.
    Intel: Intel 64 and IA-32 architectures software developer’s manual (2017).
  13. 13.
    Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 380–392. ACM (2016)Google Scholar
  14. 14.
    Johnson, K., Miller, M.: Exploit mitigation improvements in windows 8 (2012).
  15. 15.
    Larabel, M., Tippett, M.: Phoronix test suite (2011).
  16. 16.
    Mandt, T.: Attacking the ios kernel: a look at “evasi0n”(2013).
  17. 17.
  18. 18.
  19. 19.
  20. 20.
    Molinyawe, M., Hariri, A.A., Spelman, J.: $hell on earth: from browser to system compromise. In: Blackhat USA. BH US (2016)Google Scholar
  21. 21.
    PaX Team: RAP: RIP ROP (2015)Google Scholar
  22. 22.
    Staelin, C.: lmbench: an extensible micro-benchmark suite. Softw. Pract. Experience 35(11), 1079 (2005)CrossRefGoogle Scholar
  23. 23.
    Wojtczuk, R.: Tsx improves timing attacks against kaslr (2014).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.CYSEC/Technische Universität DarmstadtDarmstadtGermany
  2. 2.University of Central FloridaOrlandoUSA

Personalised recommendations