TU Darmstadt / ULB / TUbiblio

LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization

Arias, Orlando ; Gens, David ; Jin, Yier ; Liebchen, Christopher ; Sadeghi, Ahmad-Reza ; Sullivan, Dean (2017)
LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization.
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Kernel exploits are most commonly used for privilege escalation to take full control over a system, e.g., by conducting a code-reuse attack. For this reason modern kernels are hardened with Kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can use unprivileged instructions to access timing side channels through the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software. In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and is therefore highly practical.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2017
Autor(en): Arias, Orlando ; Gens, David ; Jin, Yier ; Liebchen, Christopher ; Sadeghi, Ahmad-Reza ; Sullivan, Dean
Art des Eintrags: Bibliographie
Titel: LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization
Sprache: Deutsch
Publikationsjahr: September 2017
Buchtitel: 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2017)
Kurzbeschreibung (Abstract):

Kernel exploits are most commonly used for privilege escalation to take full control over a system, e.g., by conducting a code-reuse attack. For this reason modern kernels are hardened with Kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can use unprivileged instructions to access timing side channels through the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software. In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and is therefore highly practical.

Freie Schlagworte: Solutions; S2;ICRI-SC
ID-Nummer: TUD-CS-2017-0115
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
DFG-Sonderforschungsbereiche (inkl. Transregio)
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen
Hinterlegungsdatum: 29 Mai 2017 15:58
Letzte Änderung: 02 Mai 2019 11:05
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen