KASLR is Dead: Long Live KASLR

Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, Stefan Mangard

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information. Strictly splitting kernel space and user space has recently been proposed as a theoretical concept to close these side channels. However, this is not trivially possible due to architectural restrictions of the x86 platform. In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode. We show that KAISER protects against double page fault attacks, prefetch side-channel attacks, and TSX-based side-channel attacks. Finally, we demonstrate that KAISER has a runtime overhead of only 0.28%.

Original languageEnglish
Title of host publicationEngineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings
PublisherSpringer-Verlag Italia
Pages161-176
Number of pages16
Volume10379 LNCS
ISBN (Print)9783319621043
DOIs
Publication statusPublished - 2017
Event9th International Symposium on Engineering Secure Software and Systems, ESSoS 2017 - Bonn, Germany
Duration: 3 Jul 20175 Jul 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10379 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference9th International Symposium on Engineering Secure Software and Systems, ESSoS 2017
CountryGermany
CityBonn
Period3/07/175/07/17

Fingerprint

kernel
Hardware
Plant shutdowns
Flow control
Side Channel Attacks
Attack
Isolation
Fault Attacks
Side channel attack
Linux
Flow Control
Randomisation
Operating Systems
Layout
Injection
Strictly
Restriction
Demonstrate
Concepts

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., & Mangard, S. (2017). KASLR is Dead: Long Live KASLR. In Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings (Vol. 10379 LNCS, pp. 161-176). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10379 LNCS). Springer-Verlag Italia. https://doi.org/10.1007/978-3-319-62105-0_11

KASLR is Dead : Long Live KASLR. / Gruss, Daniel; Lipp, Moritz; Schwarz, Michael; Fellner, Richard; Maurice, Clémentine; Mangard, Stefan.

Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings. Vol. 10379 LNCS Springer-Verlag Italia, 2017. p. 161-176 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10379 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Gruss, D, Lipp, M, Schwarz, M, Fellner, R, Maurice, C & Mangard, S 2017, KASLR is Dead: Long Live KASLR. in Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings. vol. 10379 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10379 LNCS, Springer-Verlag Italia, pp. 161-176, 9th International Symposium on Engineering Secure Software and Systems, ESSoS 2017, Bonn, Germany, 3/07/17. https://doi.org/10.1007/978-3-319-62105-0_11
Gruss D, Lipp M, Schwarz M, Fellner R, Maurice C, Mangard S. KASLR is Dead: Long Live KASLR. In Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings. Vol. 10379 LNCS. Springer-Verlag Italia. 2017. p. 161-176. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-62105-0_11
Gruss, Daniel ; Lipp, Moritz ; Schwarz, Michael ; Fellner, Richard ; Maurice, Clémentine ; Mangard, Stefan. / KASLR is Dead : Long Live KASLR. Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings. Vol. 10379 LNCS Springer-Verlag Italia, 2017. pp. 161-176 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{4f897e82e0f04b60bb9962961bbded30,
title = "KASLR is Dead: Long Live KASLR",
abstract = "Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information. Strictly splitting kernel space and user space has recently been proposed as a theoretical concept to close these side channels. However, this is not trivially possible due to architectural restrictions of the x86 platform. In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode. We show that KAISER protects against double page fault attacks, prefetch side-channel attacks, and TSX-based side-channel attacks. Finally, we demonstrate that KAISER has a runtime overhead of only 0.28{\%}.",
author = "Daniel Gruss and Moritz Lipp and Michael Schwarz and Richard Fellner and Cl{\'e}mentine Maurice and Stefan Mangard",
year = "2017",
doi = "10.1007/978-3-319-62105-0_11",
language = "English",
isbn = "9783319621043",
volume = "10379 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag Italia",
pages = "161--176",
booktitle = "Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings",
address = "Italy",

}

TY - GEN

T1 - KASLR is Dead

T2 - Long Live KASLR

AU - Gruss, Daniel

AU - Lipp, Moritz

AU - Schwarz, Michael

AU - Fellner, Richard

AU - Maurice, Clémentine

AU - Mangard, Stefan

PY - 2017

Y1 - 2017

N2 - Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information. Strictly splitting kernel space and user space has recently been proposed as a theoretical concept to close these side channels. However, this is not trivially possible due to architectural restrictions of the x86 platform. In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode. We show that KAISER protects against double page fault attacks, prefetch side-channel attacks, and TSX-based side-channel attacks. Finally, we demonstrate that KAISER has a runtime overhead of only 0.28%.

AB - Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information. Strictly splitting kernel space and user space has recently been proposed as a theoretical concept to close these side channels. However, this is not trivially possible due to architectural restrictions of the x86 platform. In this paper we present KAISER, a system that overcomes limitations of x86 and provides practical kernel address isolation. We implemented our proof-of-concept on top of the Linux kernel, closing all hardware side channels on kernel address information. KAISER enforces a strict kernel and user space isolation such that the hardware does not hold any information about kernel addresses while running in user mode. We show that KAISER protects against double page fault attacks, prefetch side-channel attacks, and TSX-based side-channel attacks. Finally, we demonstrate that KAISER has a runtime overhead of only 0.28%.

UR - http://www.scopus.com/inward/record.url?scp=85022336589&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-62105-0_11

DO - 10.1007/978-3-319-62105-0_11

M3 - Conference contribution

SN - 9783319621043

VL - 10379 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 161

EP - 176

BT - Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings

PB - Springer-Verlag Italia

ER -