Practical Timing Side Channel Attacks against Kernel Space ASLR
Top Cited Papers
Open Access
- 1 May 2013
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 191-205
- https://doi.org/10.1109/sp.2013.23
Abstract
Due to the prevalence of control-flow hijacking attacks, a wide variety of defense methods to protect both user space and kernel space code have been developed in the past years. A few examples that have received widespread adoption include stack canaries, non-executable memory, and Address Space Layout Randomization (ASLR). When implemented correctly (i.e., a given system fully supports these protection methods and no information leak exists), the attack surface is significantly reduced and typical exploitation strategies are severely thwarted. All modern desktop and server operating systems support these techniques and ASLR has also been added to different mobile operating systems recently. In this paper, we study the limitations of kernel space ASLR against a local attacker with restricted privileges. We show that an adversary can implement a generic side channel attack against the memory management system to deduce information about the privileged address space layout. Our approach is based on the intrinsic property that the different caches are shared resources on computer systems. We introduce three implementations of our methodology and show that our attacks are feasible on four different x86-based CPUs (both 32- and 64-bit architectures) and also applicable to virtual machines. As a result, we can successfully circumvent kernel space ASLR on current operating systems. Furthermore, we also discuss mitigation strategies against our attacks, and propose and implement a defense solution with negligible performance overhead.Keywords
This publication has 15 references indexed in Scilit:
- Are AES x86 cache timing attacks still feasible?Published by Association for Computing Machinery (ACM) ,2012
- A Cache Timing Attack on AES in Virtualization EnvironmentsLecture Notes in Computer Science, 2012
- Address space randomization for mobile devicesPublished by Association for Computing Machinery (ACM) ,2011
- Cache Games -- Bringing Access-Based Cache Attacks on AES to PracticePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- Efficient Cache Attacks on AES, and CountermeasuresJournal of Cryptology, 2009
- Breaking the memory secrecy assumptionPublished by Association for Computing Machinery (ACM) ,2009
- Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations2008 IEEE Symposium on Security and Privacy (SP 2008), 2008
- Remote timing attacks are practicalComputer Networks, 2005
- Improving the reliability of commodity operating systemsACM Transactions on Computer Systems, 2005
- An empirical study of operating systems errorsPublished by Association for Computing Machinery (ACM) ,2001