Skip to main content
SpringerLink
Log in

LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

Kernel exploits are commonly used for privilege escalation to take full control over a system, e.g., by means of code-reuse attacks. For this reason modern kernels are hardened with kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can exploit unprivileged instructions to collect timing information through side channels in the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software.

In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and therefore, is highly practical.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For brevity, we display the addresses on the x-axis as offsets to the start of the code section (i.e., 0xffffffff80000000). We further corrected the addresses by their random offset, so that both data series can be shown on top of each other.

  2. 2.

    This was also noted in the original exploit [10].

References

  1. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security 13 (2009)

    Google Scholar 

  2. Cook, K.: Kernel address space layout randomization (2013). http://selinuxproject.org/~jmorris/lss2013_slides/cook_kaslr.pdf

  3. Criswell, J., Dautenhahn, N., Adve, V.: Kcofi: complete control-flow integrity for commodity operating system kernels. In: 35th IEEE Symposium on Security and Privacy. S&P (2014)

    Google Scholar 

  4. CVEDetails: CVE-2016-4557 (2016). http://www.cvedetails.com/cve/cve-2016-4557

  5. Davi, L., Gens, D., Liebchen, C., Ahmad-Reza, S.: PT-Rand: practical mitigation of data-only attacks against page tables. In: 24th Annual Network and Distributed System Security Symposium. NDSS (2017)

    Google Scholar 

  6. Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over aslr: attacking branch predictors to bypass aslr. In: IEEE/ACM International Symposium on Microarchitecture (MICRO) (2016)

    Google Scholar 

  7. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: Kaslr is dead: long live kaslr. In: International Symposium on Engineering Secure Software and Systems. ESSoS (2017)

    Google Scholar 

  8. Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing smap and kernel aslr. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 368–379. ACM (2016)

    Google Scholar 

  9. Henning, J.L.: Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News 34(4), 1–17 (2006). http://doi.acm.org/10.1145/1186736.1186737

    Article  Google Scholar 

  10. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 34th IEEE Symposium on Security and Privacy. S&P (2013)

    Google Scholar 

  11. Inc., A.: Os x mountain lion core technologies overview (2012). http://movies.apple.com/media/us/osx/2012/docs/OSX_MountainLion_Core_Technologies_Overview.pdf

  12. Intel: Intel 64 and IA-32 architectures software developer’s manual (2017). http://www-ssl.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

  13. Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 380–392. ACM (2016)

    Google Scholar 

  14. Johnson, K., Miller, M.: Exploit mitigation improvements in windows 8 (2012). https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

  15. Larabel, M., Tippett, M.: Phoronix test suite (2011). http://www.phoronix-test-suite.com

  16. Mandt, T.: Attacking the ios kernel: a look at “evasi0n”(2013). http://www.nislab.no/content/download/38610/481190/file/NISlecture201303.pdf

  17. MITRE: CVE-2015-1328 (2015). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328

  18. MITRE: CVE-2016-0728 (2016). https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0728

  19. MITRE: CVE-2016-5195 (2016). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

  20. Molinyawe, M., Hariri, A.A., Spelman, J.: $hell on earth: from browser to system compromise. In: Blackhat USA. BH US (2016)

    Google Scholar 

  21. PaX Team: RAP: RIP ROP (2015)

    Google Scholar 

  22. Staelin, C.: lmbench: an extensible micro-benchmark suite. Softw. Pract. Experience 35(11), 1079 (2005)

    Article  Google Scholar 

  23. Wojtczuk, R.: Tsx improves timing attacks against kaslr (2014). https://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/

Download references

Acknowledgment

This work was supported in part by the German Science Foundation (project S2, CRC 1119 CROSSING), the European Union’s Seventh Framework Programme (609611, PRACTICE), and the German Federal Ministry of Education and Research within CRISP.

Dean Sullivan, Orlando Arias, and Yier Jin are partially supported by the Department of Energy through the Early Career Award (DE-SC0016180). Mr. Orlando Arias is also supported by the National Science Foundation Graduate Research Fellowship Program under Grant No. 1144246.

Author information

Authors and Affiliations

  1. CYSEC/Technische Universität Darmstadt, Darmstadt, Germany

    David Gens, Christopher Liebchen & Ahmad-Reza Sadeghi

  2. University of Central Florida, Orlando, FL, USA

    Orlando Arias, Dean Sullivan & Yier Jin

Authors
  1. David Gens
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Orlando Arias
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dean Sullivan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christopher Liebchen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yier Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Gens .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Gens, D., Arias, O., Sullivan, D., Liebchen, C., Jin, Y., Sadeghi, AR. (2017). LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation