Abstract
Recent operating systems (OSs) have adopted a defense mechanism called kernel page table isolation (KPTI) for protecting the kernel from all attacks that break the kernel address space layout randomization (KASLR) using various side-channel analysis techniques. In this paper, we demonstrate that KASLR can still be broken, even with the latest OSs where KPTI is applied. In particular, we present a novel memory-sharing-based side-channel attack that breaks the KASLR on KPTI-enabled Linux virtual machines. The proposed attack leverages the memory deduplication feature on a hypervisor, which provides a timing channel for inferring secret information regarding the victim. By conducting experiments on KVM and VMware ESXi, we show that the proposed attack can obtain the kernel address within a short amount of time. We also present several countermeasures that can prevent such an attack.
Highlights
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. Operating systems protect their kernel from code reuse [1,2] attacks such as returnoriented programming (ROP) [3,4,5,6] by using kernel address space layout randomization (KASLR)
The common principle behind these side-channel attacks is to break the KASLR using a feature in which user and kernel address spaces are mapped to the same page table
We proposed an attack that breaks the KASLR of another VM using the memory deduplication technique
Summary
The common principle behind these side-channel attacks is to break the KASLR using a feature in which user and kernel address spaces are mapped to the same page table. KPTI protects the KASLR-enabled kernel from CPU side-channel attacks by separately allocating a page table of the user and kernel address spaces. To mitigate the proposed attack, we present some possible countermeasures, such as disabling the memory deduplication on a hypervisor. The proposed attack breaks KALSR in the latest versions of the Linux kernel equipped with the state-of-the-art kernel defense mechanism. The remainder of this paper is organized as follows: In Section 2, we introduce some background knowledge of KASLR and memory deduplication attacks.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have