Filters








53 Hits in 2.1 sec

KASLR in the age of MicroVMs

Benjamin Holmes, Jason Waterman, Dan Williams
2022 Proceedings of the Seventeenth European Conference on Computer Systems  
We also show the low overhead of in-monitor KASLR, with only 4% (2 ms) increase in boot times on average compared to a kernel without KASLR.  ...  In this paper, we present in-monitor KASLR, in which the virtual machine monitor efficiently implements KASLR for the guest kernel by skipping the expensive kernel self-relocation steps.  ...  Once the bootstrap loader selects a randomized and aligned virtual address offset, it can begin to fix up the addresses present in the loaded kernel.  ... 
doi:10.1145/3492321.3519578 fatcat:3r2xdbvrprdkxb2bhmgufg4r3e

From IP ID to Device ID and KASLR Bypass (Extended Version) [article]

Amit Klein, Benny Pinkas
2019 arXiv   pre-print
In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR.  ...  We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.  ...  Time/memory optimization When the number of devices to measure is much smaller than |W | it is possible to optimize the technique for repeat visits.  ... 
arXiv:1906.10478v2 fatcat:aqxxj4w54bhstbonrts23gy4qq

Speculose: Analyzing the Security Implications of Speculative Execution in CPUs [article]

Giorgi Maisuradze, Christian Rossow
2018 arXiv   pre-print
10 KASLR entropy by 18~bits in less than a second.  ...  We revisit the assumption that speculatively executed code leaves no traces in case it is not committed.  ...  We show how we can leverage this concept to break KASLR implementations of modern operating systems, prototyping it against the Linux kernel 4.13 and Windows 10. • We discuss potential countermeasures  ... 
arXiv:1801.04084v1 fatcat:4nddqs35vrd7ll3npftfi6iiw4

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs (Updated and Extended Version) [article]

Michael Schwarz, Claudio Canella, Lukas Giner, Daniel Gruss
2021 arXiv   pre-print
We present several ASLRrelated attacks, including a KASLR break from unprivileged applications, and breaking ASLR from JavaScript.  ...  Our paper shows that Meltdown-like attacks are still possible, and software fixes are still necessary to ensure proper isolation between the kernel and user space.  ...  In Section 4.3, we describe that Data Bounce can even be mounted from JavaScript to break ASLR of the browser. Breaking KASLR In this section, we show that Data Bounce can reliably break KASLR.  ... 
arXiv:1905.05725v2 fatcat:zsvm6a34gfafdnyat3vxfmvid4

Remote Memory-Deduplication Attacks [article]

Martin Schwarzl, Erik Kraft, Moritz Lipp, Daniel Gruss
2021 arXiv   pre-print
Third, we demonstrate a fully remote KASLR break in less than 4 minutes allowing to derandomize the kernel image of a virtual machine over the Internet, i.e., 14 network hops away.  ...  Our side channel leaks up to 34.41 B/h over the internet, making it faster than comparable remote memory-disclosure channels.  ...  We emphasize that vendor responses to local KASLR breaks are often that KASLR is only meant as a mitigation for remote attacks.  ... 
arXiv:2111.08553v1 fatcat:d3wtxwkb2zfpfdttr5yb7sevem

Fallout

Claudio Canella, Berk Sunar, Jo Van Bulck, Yuval Yarom, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz
2019 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS '19  
Due to hardware fixes, these mitigations are disabled on recent processors. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to Meltdown.  ...  Our paper shows that Meltdown-like attacks are still possible, and software fixes with potentially significant performance overheads are still necessary to ensure proper isolation between the kernel and  ...  Breaking KASLR with the KAISER Patch.  ... 
doi:10.1145/3319535.3363219 dblp:conf/ccs/CanellaGGGLMMP019 fatcat:7kijycv2qvaylir3tcjcyyt67e

PLATYPUS: Software-based Power Side-Channel Attacks on x86

Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, Daniel Gruss
2021 2021 IEEE Symposium on Security and Privacy (SP)  
We demonstrate how an unprivileged attacker can leak AES-NI keys from Intel SGX and the Linux kernel, break kernel address-space layout randomization (KASLR), infer secret instruction streams, and establish  ...  The average time to find the KASLR offset is 20 s. Hence, while not being the fastest KASLR break, it is still practical.  ...  Moreover, in contrast to previous microarchitectural KASLR breaks [46] , [37] , [30] , [71] , [12] , [13] , our KASLR break using power consumption is the first microarchitectural KASLR break, which  ... 
doi:10.1109/sp40001.2021.00063 fatcat:2gcaj243obesti725i62pfwhti

Meltdown: Reading Kernel Memory from User Space

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg
2018 USENIX Security Symposium  
The attack is independent of the operating system, and it does not rely on any software vulnerabilities.  ...  We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown.  ...  This modification was intended to prevent side-channel attacks breaking KASLR [29, 21, 37] .  ... 
dblp:conf/uss/Lipp0G0HFHMKGYH18 fatcat:u233tuxxcrd6hlu7vputbpbuwm

Prefetch Side-Channel Attacks

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16  
It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties.  ...  It is used to organize paging structures and other data in physical memory. The mapping is located at a fixed and known location, even in the presence of KASLR.  ...  [8] exploit the branch-target buffer to break KASLR. Finally, Chen et al. [5] proposed dynamic fine-grained ASLR during runtime to defeat KASLR attacks.  ... 
doi:10.1145/2976749.2978356 dblp:conf/ccs/GrussMFLM16 fatcat:js24xk7cnjcy7mfgvxe5j67aq4

Prefetch Side-Channel Attacks: Bypassing Smap And Kernel Aslr

Daniel Gruss, Clémentine Maurice, Moritz Lipp, Stefan Mangard, Anders Fogh
2016 Zenodo  
It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties.  ...  It is used to organize paging structures and other data in physical memory. The mapping is located at a fixed and known location, even in the presence of KASLR.  ...  [8] exploit the branch-target buffer to break KASLR. Finally, Chen et al. [5] proposed dynamic fine-grained ASLR during runtime to defeat KASLR attacks.  ... 
doi:10.5281/zenodo.375513 fatcat:ulpenlmxtjfwvkmx66j4bfyoma

Meltdown [article]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg
2018 arXiv   pre-print
The attack is independent of the operating system, and it does not rely on any software vulnerabilities.  ...  We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown.  ...  Fogh [5] already suspected that it might be possible to abuse speculative execution in order to read kernel memory in user mode but his experiments were not successful.  ... 
arXiv:1801.01207v1 fatcat:tkvyrlyuwjhlpkqdfo4wqbo53y

Speculative Probing

Enes Göktas, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, Cristiano Giuffrida
2020 Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security  
General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications  ...  with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it  ...  Exploit 1: Breaking Coarse-grained KASLR In our first exploit, we focus on applying BlindSide to the stock Linux kernel with default mitigations including KASLR. Locating kernel image.  ... 
doi:10.1145/3372297.3417289 dblp:conf/ccs/GoktasRPBG20 fatcat:kxva6hqskbdktamnlo7d7qyflu

UniSan

Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16  
., kASLR and StackGuard, have been increasingly deployed to defend against attacks (e.g., code reuse attack).  ...  leaves kernel space; if not, it automatically instruments the kernel to initialize this allocation.  ...  The request for each experiment was repeated 10,000 times.  ... 
doi:10.1145/2976749.2978366 dblp:conf/ccs/LuSKL16 fatcat:i3t23ci5urg47ixz3rwnda64ci

Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors

Moritz Lipp, Vedad Hažić, Michael Schwarz, Arthur Perais, Clémentine Maurice, Daniel Gruss
2020 Proceedings of the 15th ACM Asia Conference on Computer and Communications Security  
While Load+Reload relies on shared memory, it does not invalidate the cache line, allowing stealthier attacks that do not induce any lastlevel-cache evictions.  ...  It was also supported by the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 681402).  ...  Breaking ASLR and KASLR To exploit a memory corruption vulnerability, an attacker often requires knowledge of the location of specific data in memory.  ... 
doi:10.1145/3320269.3384746 dblp:conf/ccs/LippH0PMG20 fatcat:aehnpjlvl5cx5fwp4jrjr3bkga

CacheOut: Leaking Data on Intel CPUs via Cache Evictions [article]

Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, Yuval Yarom
2020 arXiv   pre-print
We observe that as data is being evicted from the CPU's L1 cache, it is often transferred back to the leaky CPU buffers where it can be recovered by the attacker.  ...  Recent transient-execution attacks, such as RIDL, Fallout, and ZombieLoad, demonstrated that attackers can leak information while it transits through microarchitectural buffers.  ...  We demonstrate how by developing attacks for breaking KASLR and recovering secret kernel stack canaries. A. Derandomizing Kernel ASLR KASLR Overview.  ... 
arXiv:2006.13353v1 fatcat:glj7yr6j7jfadevpuc2lovqvmq
« Previous Showing results 1 — 15 out of 53 results