KASLR: Breakt It, Fix It, Repeat

Claudio Alberto Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, Daniel Gruß

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40 μs on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that
are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs.

We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.
Originalspracheenglisch
TitelASIA CCS 2020 - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
Herausgeber (Verlag)ACM/IEEE
Seitenumfang13
DOIs
PublikationsstatusAngenommen/In Druck - 5 Okt 2020
VeranstaltungAsiaCCS 2020: The 15th ACM ASIA Conference on Computer and Communications Security - Virtuell
Dauer: 5 Okt 20209 Okt 2020

Konferenz

KonferenzAsiaCCS 2020: The 15th ACM ASIA Conference on Computer and Communications Security
OrtVirtuell
Zeitraum5/10/209/10/20

Schlagwörter

    Fingerprint Untersuchen Sie die Forschungsthemen von „KASLR: Breakt It, Fix It, Repeat“. Zusammen bilden sie einen einzigartigen Fingerprint.

  • Projekte

    Dieses zitieren

    Canella, C. A., Schwarz, M., Haubenwallner, M., Schwarzl, M., & Gruß, D. (Angenommen/Im Druck). KASLR: Breakt It, Fix It, Repeat. in ASIA CCS 2020 - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security ACM/IEEE. https://doi.org/10.1145/3320269.3384747