Explore a novel timing side-channel attack against Kernel Address Space Layout Randomization (KASLR) called DrK (De-randomizing Kernel address space). Learn how this attack leverages Intel Transactional Synchronization Extension (TSX) to accurately and silently de-randomize kernel memory layout by identifying page properties. Discover the attack's universal applicability across major operating systems, including Windows, Linux, and OS X, and its effectiveness even in virtualized environments. Understand the technical details behind DrK, including its use of TSX to create a timing channel for distinguishing mapping and execution status of privileged address space. Examine real-world examples and demonstrations of the attack's effectiveness against various operating systems. Delve into discussions on potential countermeasures and the implications of this vulnerability for kernel hardening techniques. Gain insights into the challenges of securing kernel memory and the importance of addressing hardware-based side-channel attacks in modern cybersecurity.
Breaking Kernel Address Space Layout Randomization - KASLR - With Intel TSX
Overview
Syllabus
Intro
Example: Linux
Example: town. OS X 10.10.5 Kernel Privilege Escalation Vulnerability
Kernel Address Space Layout Randomization (KASLR)
TLB Timing Side Channel
TSX Gives Better Precision on Timing Attack
Transactional Synchronization Extension
Abort Handler Suppresses Exceptions
Reducing Noise with Intel TSX
Measuring Timing Side Channel
Demo 2: Full Attack on Linux
Attack on Windows
Attack on OS X
Attack on Amazon EC2
Result Summary
Timing Side Channel (M/U)
Path for a mapped Page
Intel Cache Architecture
Path for an Executable Page
Path for a non-executable, but mapped Page
Cache Coherence and TLB
Discussions: Controlling Noise
Discussions: Countermeasures?
Conclusion
Any Question?
Taught by
Black Hat
