KASLR: Break It, Fix It, Repeat

Claudio Alberto Canella; Michael Schwarz; Martin Haubenwallner; Martin Schwarzl; Daniel Gruß

doi:10.1145/3320269.3384747

KASLR: Break It, Fix It, Repeat

Claudio Alberto Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, Daniel Gruß

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.

Original language	English
Title of host publication	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Publisher	ACM/IEEE
Pages	481-493
Number of pages	13
ISBN (Electronic)	9781450367509
DOIs	https://doi.org/10.1145/3320269.3384747
Publication status	Published - 5 Oct 2020
Event	15th ACM ASIA Conference on Computer and Communications Security: AsiaCCS 2020 - Virtuell Duration: 5 Oct 2020 → 9 Oct 2020

Publication series

Name	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Conference

Conference	15th ACM ASIA Conference on Computer and Communications Security
Abbreviated title	AsiaCCS 2020:
City	Virtuell
Period	5/10/20 → 9/10/20

Keywords

meltdown
side-channel attack
transient execution
kaslr
countermeasure
reverse engineering
KASLR

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3320269.3384747

KASLRAccepted author manuscript, 694 KB

Cite this

Canella, C. A., Schwarz, M., Haubenwallner, M., Schwarzl, M., & Gruß, D. (2020). KASLR: Break It, Fix It, Repeat. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 (pp. 481-493). (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020). ACM/IEEE. https://doi.org/10.1145/3320269.3384747

KASLR : Break It, Fix It, Repeat. / Canella, Claudio Alberto; Schwarz, Michael; Haubenwallner, Martin et al.

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020. ACM/IEEE, 2020. p. 481-493 (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Canella, CA, Schwarz, M, Haubenwallner, M, Schwarzl, M & Gruß, D 2020, KASLR: Break It, Fix It, Repeat. in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, ACM/IEEE, pp. 481-493, 15th ACM ASIA Conference on Computer and Communications Security, Virtuell, 5/10/20. https://doi.org/10.1145/3320269.3384747

@inproceedings{eeee2135ff4f4e5ab69cd711eee59c8f,

title = "KASLR: Break It, Fix It, Repeat",

abstract = "In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.",

keywords = "meltdown, side-channel attack, transient execution, kaslr, countermeasure, reverse engineering, KASLR",

author = "Canella, {Claudio Alberto} and Michael Schwarz and Martin Haubenwallner and Martin Schwarzl and Daniel Gru{\ss}",

year = "2020",

month = oct,

day = "5",

doi = "10.1145/3320269.3384747",

language = "English",

series = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020",

publisher = "ACM/IEEE",

pages = "481--493",

booktitle = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020",

note = "15th ACM ASIA Conference on Computer and Communications Security : AsiaCCS 2020, AsiaCCS 2020: ; Conference date: 05-10-2020 Through 09-10-2020",

}

TY - GEN

T1 - KASLR

T2 - 15th ACM ASIA Conference on Computer and Communications Security

AU - Canella, Claudio Alberto

AU - Schwarz, Michael

AU - Haubenwallner, Martin

AU - Schwarzl, Martin

AU - Gruß, Daniel

PY - 2020/10/5

Y1 - 2020/10/5

N2 - In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.

AB - In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.

KW - meltdown

KW - side-channel attack

KW - transient execution

KW - kaslr

KW - countermeasure

KW - reverse engineering

KW - KASLR

UR - http://www.scopus.com/inward/record.url?scp=85096398568&partnerID=8YFLogxK

U2 - 10.1145/3320269.3384747

DO - 10.1145/3320269.3384747

M3 - Conference paper

T3 - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

SP - 481

EP - 493

BT - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

PB - ACM/IEEE

Y2 - 5 October 2020 through 9 October 2020

ER -

KASLR: Break It, Fix It, Repeat

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Leakage-Free - Hardware-Software Information Flow Analysis for Leakage-Free Code Generation

Espresso - Scalable hardware-secured authentication and personalization of intelligent sensor nodes

EU - SOPHIA - Securing Software against Physical Attacks