KASLR: Break It, Fix It, Repeat

Claudio Alberto Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, Daniel Gruß

Research output: Chapter in Book/Report/Conference proceedingConference paper

Abstract

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.

Original languageEnglish
Title of host publicationProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
PublisherACM/IEEE
Pages481-493
Number of pages13
ISBN (Electronic)9781450367509
DOIs
Publication statusPublished - 5 Oct 2020
EventAsiaCCS 2020: The 15th ACM ASIA Conference on Computer and Communications Security - Virtuell
Duration: 5 Oct 20209 Oct 2020

Publication series

NameProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Conference

ConferenceAsiaCCS 2020: The 15th ACM ASIA Conference on Computer and Communications Security
CityVirtuell
Period5/10/209/10/20

Keywords

  • meltdown
  • side-channel attack
  • transient execution
  • kaslr
  • countermeasure
  • reverse engineering
  • KASLR

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'KASLR: Break It, Fix It, Repeat'. Together they form a unique fingerprint.

Cite this