Title:
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX

dc.contributor.author Jang, Yeongjin
dc.contributor.corporatename Georgia Institute of Technology. Institute for Information Security & Privacy en_US
dc.contributor.corporatename Georgia Institute of Technology. School of Computer Science en_US
dc.date.accessioned 2016-10-05T19:22:19Z
dc.date.available 2016-10-05T19:22:19Z
dc.date.issued 2016-09-23
dc.description Presented on September 23, 2016 at 12:00 p.m. in the Pettit Microelectronics Research Center, Room 102A/B. en_US
dc.description Yeongjin Jang is a Ph.D. student in the School of Computer Science at the Georgia Institute of Technology. His research is centered around operating system and mobile security. He especially focuses on finding ways of how a system can fail, then devising countermeasures to make the system more secure. In addition to academic research, he participates in various capture-the-flags (CTF) challenges, including DEF CON CTF, the DARPA Cyber Grand Challenge and more. He is a winner of the black badge from DEF CON 23 CTF. en_US
dc.description Runtime: 57:20 minutes en_US
dc.description.abstract Kernel hardening has been an important topic, as many applications and security mechanisms often consider the kernel their Trusted Computing Base (TCB). Among various hardening techniques, kernel address space layout randomization (KASLR) is the most effective and widely adopted technique that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory disclosure vulnerability exists and high randomness is ensured. In this talk, we present a novel timing side-channel attack against KASLR, called DrK (De-randomizing Kernel address space), which can accurately, silently, and rapidly de-randomize the kernel memory layout by identifying page properties: unmapped, executable, or non-executable pages. DrK is based on a new hardware feature, Intel Transactional Synchronization Extension (TSX), which allows us to execute a transaction without interrupting the underlying operating system even when the transaction is aborted due to errors, such as access violation and page faults. In DrK, we turned this property into a timing channel that can accurately distinguish the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged address space. In addition to its surprising accuracy and precision, the DrK attack is not only universally applicable to all OSes, even under a virtualized environment, but also has no visible footprint, making it nearly impossible to be detected in practice. We demonstrate that DrK breaks the KASLR of all major OSes, including Windows, Linux, and OS X with near-perfect accuracy in a few seconds. Finally, we propose potential hardware modifications that can prevent or mitigate the DrK attack. en_US
dc.format.extent 57:20 minutes
dc.identifier.uri http://hdl.handle.net/1853/55907
dc.language.iso en_US en_US
dc.publisher Georgia Institute of Technology en_US
dc.relation.ispartofseries Cybersecurity Lecture Series
dc.subject CPU en_US
dc.subject Kernel ASLR en_US
dc.subject Side-channel en_US
dc.subject Cybersecurity en_US
dc.title Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX en_US
dc.type Moving Image
dc.type.genre Lecture
dspace.entity.type Publication
local.contributor.corporatename School of Cybersecurity and Privacy
local.contributor.corporatename College of Computing
local.relation.ispartofseries Institute for Information Security & Privacy Cybersecurity Lecture Series
relation.isOrgUnitOfPublication f6d1765b-8d68-42f4-97a7-fe5e2e2aefdf
relation.isOrgUnitOfPublication c8892b3c-8db6-4b7b-a33a-1b67f7db2021
relation.isSeriesOfPublication 2b4a3c7a-f972-4a82-aeaa-818747ae18a7
Files
Original bundle
Now showing 1 - 2 of 2
No Thumbnail Available
Name:
jang.mp4
Size:
457.02 MB
Format:
MP4 Video file
Description:
Download
No Thumbnail Available
Name:
jang_videostream.html
Size:
962 B
Format:
Hypertext Markup Language
Description:
Streaming
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
3.13 KB
Format:
Item-specific license agreed upon to submission
Description:
Collections