KASLR: Break It, Fix It, Repeat

Claudio Alberto Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, Daniel Gruß

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem Konferenzband

Abstract

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.

Originalspracheenglisch
TitelProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Herausgeber (Verlag)ACM/IEEE
Seiten481-493
Seitenumfang13
ISBN (elektronisch)9781450367509
DOIs
PublikationsstatusVeröffentlicht - 5 Okt 2020
VeranstaltungAsiaCCS 2020: The 15th ACM ASIA Conference on Computer and Communications Security - Virtuell
Dauer: 5 Okt 20209 Okt 2020

Publikationsreihe

NameProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Konferenz

KonferenzAsiaCCS 2020: The 15th ACM ASIA Conference on Computer and Communications Security
OrtVirtuell
Zeitraum5/10/209/10/20

ASJC Scopus subject areas

  • Software
  • !!Computer Networks and Communications

Fingerprint

Untersuchen Sie die Forschungsthemen von „KASLR: Break It, Fix It, Repeat“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren