research-article

Open access

EntryBleed: A Universal KASLR Bypass against KPTI on Linux

Authors:

Joseph Ravichandran,

Mengjia YanAuthors Info & Claims

HASP '23: Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy

Pages 10 - 18

https://doi.org/10.1145/3623652.3623669

Published: 29 October 2023 Publication History

All formats PDF

Abstract

For years, attackers have compromised systems by developing exploits that rely on known locations of kernel code and data segments. KASLR (Kernel Address Space Layout Randomization) is a key mitigation in modern operating systems which hampers these attacks through runtime randomization of the kernel image base address. KPTI (Kernel Page Table Isolation) is another defense mechanism, originally introduced to defend against the 2018 Meltdown attack by unmapping kernel addresses during user code execution. This security mechanism makes it harder for attackers to leak kernel address mappings through micro-architectural side channels. However, a few pages for system call and interrupt handling were exempted from isolation for the sake of user to kernel context transitions.

We present the EntryBleed vulnerability (CVE-2022-4543) as a universal bypass against the KASLR protection mechanism through a combination of micro-architectural side channels and design flaws in the KPTI mitigation on Intel CPUs. We demonstrate that the bug we identified can accurately de-randomize the kernel address space within a second on modern Intel CPUs in both physical host and hardware-accelerated virtual machine environments. We then provide a root cause analysis to locate the core micro-architectural behaviors that enable EntryBleed, both on physical and under virtualized environments. Furthermore, we propose a performant mitigation based closely upon a pre-existing KASLR hardening mechanism. If left unpatched, attackers will be able to easily bypass KASLR, greatly lowering the barrier for exploit development and increasing the risk of serious threats against the Linux operating system.

References

[1]

2021. Function Granular KASLR. https://lore.kernel.org/all/[email protected]/

[2]

2023. Linux source code (v6.0). https://elixir.bootlin.com/linux/v6.0/source

[3]

2023. Virtual Memory Map. https://www.kernel.org/doc/Documentation/x86/x86_64/mm.txt

[4]

Kristen Accardi. 2020. Function-Granular KASLR. https://lwn.net/Articles/824307/

[5]

bcoles. 2023. KASLD. https://github.com/bcoles/kasld

[6]

Claudio Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, and Daniel Gruss. 2020. KASLR: Break It, Fix It, Repeat. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (Taipei, Taiwan) (ASIA CCS ’20). Association for Computing Machinery, New York, NY, USA, 481–493. https://doi.org/10.1145/3320269.3384747

Digital Library

[7]

Jonathan Corbet. 2017. KAISER: hiding the kernel from user space. https://lwn.net/Articles/738975/

[8]

Intel Corporation. 2023. Intel Software Security Guidance.https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

[9]

Jack Dates. 2022. The LDT, a Perfect Home for All Your Kernel Payloads. https://blog.ret2.io/2022/08/17/macos-dblmap-kernel-exploitation/

[10]

Nico Economou. 2020. Meltdown Reloaded: Breaking Windows KASLR by Leaking KVA Shadow Mappings. https://labs.bluefrostsecurity.de/blog/2020/06/30/meltdown-reloaded-breaking-windows-kaslr/

[11]

Jake Edge. 2013. Kernel address space layout randomization. https://lwn.net/Articles/569635/

[12]

Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 955–972. https://www.usenix.org/conference/usenixsecurity18/presentation/gras

[13]

Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. 2017. KASLR is Dead: Long Live KASLR. 161–176. https://doi.org/10.1007/978-3-319-62105-0_11

[14]

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS ’16). Association for Computing Machinery, New York, NY, USA, 368–379. https://doi.org/10.1145/2976749.2978356

Digital Library

[15]

Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical Timing Side Channel Attacks against Kernel Space ASLR. In 2013 IEEE Symposium on Security and Privacy. 191–205. https://doi.org/10.1109/SP.2013.23

Digital Library

[16]

RedHat Inc.2022. CVE-2022-4543. https://access.redhat.com/security/cve/cve-2022-4543

[17]

Intel. 2020. Intel 64 and IA-32 Architectures Software Developer’s Manual: System Programming, Volume 3.

[18]

Seth Jenkins. 2022. Exploiting CVE-2022-42703 - Bringing back the stack attack. https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html

[19]

Ken Johnson. 2018. KVA Shadow: Mitigating Meltdown on Windows. https://msrc.microsoft.com/blog/2018/03/kva-shadow-mitigating-meltdown-on-windows/

[20]

Taehun Kim, Taehyun Kim, and Youngjoo Shin. 2021. Breaking KASLR Using Memory Deduplication in Virtualized Environments. Electronics 10, 17 (2021). https://www.mdpi.com/2079-9292/10/17/2174

[21]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 2019 IEEE Symposium on Security and Privacy (SP). 1–19. https://doi.org/10.1109/SP.2019.00002

[22]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC’18). USENIX Association, USA, 973–990.

[23]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In 2015 IEEE Symposium on Security and Privacy. 605–622. https://doi.org/10.1109/SP.2015.43

Digital Library

[24]

William Liu. 2022. CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google’s KCTF Containers.https://www.willsroot.io/2022/01/cve-2022-0185.html

[25]

William Liu. 2022. CVE-2022-4543: KASLR Leakage Achievable even with KPTI through Prefetch Side-Channel. https://www.openwall.com/lists/oss-security/2022/12/16/3

[26]

William Liu. 2022. EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543). https://www.willsroot.io/2022/12/entrybleed.html

[27]

Colin Percival. 2009. Cache missing for fun and profit. (08 2009).

[28]

Joseph Ravichandran and Michael Wang. 2022. Lord of the io_urings. Technical Report.

[29]

László Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In 2013 IEEE Symposium on Security and Privacy. 48–62. https://doi.org/10.1109/SP.2013.13

Digital Library

[30]

Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A. Gunter. 2017. Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). Association for Computing Machinery, New York, NY, USA, 2421–2434. https://doi.org/10.1145/3133956.3134038

Digital Library

[31]

Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23rd USENIX Conference on Security Symposium (San Diego, CA) (SEC’14). USENIX Association, USA, 719–732.

Cited By

Jang HKim TShin YLuo BLiao XXu JKirda ELie D(2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690189
Davoli DAvanzini MRezk TLuo BLiao XXu JKirda ELie D(2024)On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670332(1091-1105)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670332
Jin YWang CQiu PLiu CYang YZheng HLyu YLi XQu GWang DDe V(2024)Whisper: Timing the Transient Execution to Leak Secrets and Break KASLRProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3656213(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3656213

Index Terms

EntryBleed: A Universal KASLR Bypass against KPTI on Linux
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
  2. Systems security
    1. Operating systems security

Recommendations

Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. ...
Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks
TrustED '14: Proceedings of the 4th International Workshop on Trustworthy Embedded Devices

Code reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in ...
Diminisher: A Linux Kernel Based Countermeasure for TAA Vulnerability
Computer Security. ESORICS 2021 International Workshops
Abstract
TSX Asynchronous Abort (TAA) vulnerability is a class of Side-Channel Attack (SCA) that allows an application to leak data from internal CPU buffers through asynchronous Transactional Synchronization Extension (TSX) aborts that are exploited by ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

HASP '23: Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy

October 2023

106 pages

ISBN:9798400716232

DOI:10.1145/3623652

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution-NonCommercial International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2023

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

HASP '23

HASP '23: Hardware and Architectural Support for Security and Privacy 2023

October 29, 2023

Toronto, Canada

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
2,681
Total Downloads

Downloads (Last 12 months)1,843
Downloads (Last 6 weeks)254

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jang HKim TShin YLuo BLiao XXu JKirda ELie D(2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690189
Davoli DAvanzini MRezk TLuo BLiao XXu JKirda ELie D(2024)On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670332(1091-1105)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670332
Jin YWang CQiu PLiu CYang YZheng HLyu YLi XQu GWang DDe V(2024)Whisper: Timing the Transient Execution to Leak Secrets and Break KASLRProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3656213(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3656213

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten