KASLR: Break It, Fix It, Repeat

Claudio Alberto Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, Daniel Gruß

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.

Originalspracheenglisch
TitelProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Herausgeber (Verlag)ACM/IEEE
Seiten481-493
Seitenumfang13
ISBN (elektronisch)9781450367509
DOIs
PublikationsstatusVeröffentlicht - 5 Okt. 2020
Veranstaltung15th ACM ASIA Conference on Computer and Communications Security: AsiaCCS 2020 - Virtuell
Dauer: 5 Okt. 20209 Okt. 2020

Publikationsreihe

NameProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Konferenz

Konferenz15th ACM ASIA Conference on Computer and Communications Security
KurztitelAsiaCCS 2020:
OrtVirtuell
Zeitraum5/10/209/10/20

ASJC Scopus subject areas

  • Software
  • Computernetzwerke und -kommunikation

Fingerprint

Untersuchen Sie die Forschungsthemen von „KASLR: Break It, Fix It, Repeat“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren