Arias, Orlando and Gens, David and Jin, Yier and Liebchen, Christopher and Sadeghi, Ahmad-Reza and Sullivan, Dean (2017):
LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization.
In: 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2017), [Conference or Workshop Item]
Abstract
Kernel exploits are most commonly used for privilege escalation to take full control over a system, e.g., by conducting a code-reuse attack. For this reason modern kernels are hardened with Kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can use unprivileged instructions to access timing side channels through the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software. In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and is therefore highly practical.
| Item Type: | Conference or Workshop Item |
|---|---|
| Erschienen: | 2017 |
| Creators: | Arias, Orlando and Gens, David and Jin, Yier and Liebchen, Christopher and Sadeghi, Ahmad-Reza and Sullivan, Dean |
| Title: | LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization |
| Language: | German |
| Abstract: | Kernel exploits are most commonly used for privilege escalation to take full control over a system, e.g., by conducting a code-reuse attack. For this reason modern kernels are hardened with Kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can use unprivileged instructions to access timing side channels through the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software. In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and is therefore highly practical. |
| Title of Book: | 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2017) |
| Uncontrolled Keywords: | Solutions; S2;ICRI-SC |
| Divisions: | 20 Department of Computer Science 20 Department of Computer Science > System Security Lab DFG-Collaborative Research Centres (incl. Transregio) DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres Profile Areas Profile Areas > Cybersecurity (CYSEC) DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments |
| Date Deposited: | 29 May 2017 15:58 |
| Identification Number: | TUD-CS-2017-0115 |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
Optionen (nur für Redakteure)
 |
View Item |
Drucken
Impressum