LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

Gens, David; Arias, Orlando; Sullivan, Dean; Liebchen, Christopher; Jin, Yier; Sadeghi, Ahmad‐Reza

doi:10.1007/978-3-319-66332-6_11

Cited by 15 publications

(13 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…FLARE tackles the root causes of all the microarchitectural KASLR breaks discussed in Section 3.5. It builds on ideas from KAISER [31] and LAZARUS [26] to fix remaining weaknesses efficiently and securely.…”

Section: Flare: Mitigating Kaslr Breaksmentioning

confidence: 99%

See 1 more Smart Citation

KASLR: Break It, Fix It, Repeat

Canella

Schwarz

Haubenwallner

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40 µs on the newest Meltdown-and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScriptbased KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs. CCS CONCEPTS • Security and privacy → Operating systems security.

show abstract

Section: Flare: Mitigating Kaslr Breaksmentioning

confidence: 99%

“…Lazarus [26] proposed a similar approach to KAISER [31]. It is based on fencing the kernel paging entries off from those of the user space by separating user and kernel page tables.…”

Section: Mitigate Microarchitectural Kaslr Breaksmentioning

confidence: 99%

KASLR: Break It, Fix It, Repeat

Canella

Schwarz

Haubenwallner

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…To this end, (probabilistic) Swivel hides branch offsets by randomizing code pages. Previously, similar fine-grain approaches to address randomization have been proposed to mitigate attacks based on return-oriented programming [15,22]. Specifically, when loading a module, Swivel copies the code pages of the Wasm module to random destinations, randomizing all but the four least significant bits (LSBs) to keep 16-byte alignment.…”

Section: Probabilistic or Deterministic?mentioning

confidence: 99%

Swivel: Hardening WebAssembly against Spectre

Narayan,

Disselkoen,

Moghimi

et al. 2021

Preprint

View full text Add to dashboard Cite

We describe Swivel, a new compiler framework for hardening WebAssembly (Wasm) against Spectre attacks. Outside the browser, Wasm has become a popular lightweight, in-process sandbox and is, for example, used in production to isolate different clients on edge clouds and function-as-a-service platforms. Unfortunately, Spectre attacks can bypass Wasm's isolation guarantees. Swivel hardens Wasm against this class of attacks by ensuring that potentially malicious code can neither use Spectre attacks to break out of the Wasm sandbox nor coerce victim code-another Wasm client or the embedding process-to leak secret data.We describe two Swivel designs, a software-only approach that can be used on existing CPUs, and a hardware-assisted approach that uses extension available in Intel ® 11th generation CPUs. For both, we evaluate a randomized approach that mitigates Spectre and a deterministic approach that eliminates Spectre altogether. Our randomized implementations impose under 10.3% overhead on the Wasm-compatible subset of SPEC 2006, while our deterministic implementations impose overheads between 3.3% and 240.2%. Though high on some benchmarks, Swivel's overhead is still between 9× and 36.3× smaller than existing defenses that rely on pipeline fences.

show abstract

“…KASLR has been subject to almost countless microarchitectural attacks in the past [15,16,24,33,42,49,62,80]. As a response, researchers, CPU vendors, and OS maintainers have developed several countermeasures [2,16,29,32]. In particular, the newest 10th-generation Intel CPUs (Ice Lake and Comet Lake) are immune to many microarchitectural KASLR breaks, including the recently discovered EchoLoad attack [16].…”

Section: Movnt-based Kaslr Breakmentioning

confidence: 99%

Osiris: Automated Discovery of Microarchitectural Side Channels

Weber,

Ibrahim,

Nemati

et al. 2021

Preprint

View full text Add to dashboard Cite

In the last years, a series of side channels have been discovered on CPUs. These side channels have been used in powerful attacks, e.g., on cryptographic implementations, or as building blocks in transient-execution attacks such as Spectre or Meltdown. However, in many cases, discovering side channels is still a tedious manual process.In this paper, we present Osiris, a fuzzing-based framework to automatically discover microarchitectural side channels. Based on a machine-readable specification of a CPU's ISA, Osiris generates instruction-sequence triples and automatically tests whether they form a timing-based side channel. Furthermore, Osiris evaluates their usability as a side channel in transient-execution attacks, i.e., as the microarchitectural encoding for attacks like Spectre. In total, we discover four novel timing-based side channels on Intel and AMD CPUs. Based on these side channels, we demonstrate exploitation in three case studies. We show that our microarchitectural KASLR break using non-temporal loads, FlushConflict, even works on the new Intel Ice Lake and Comet Lake microarchitectures. We present a cross-core cross-VM covert channel that is not relying on the memory subsystem and transmits up to 1 kbit/s. We demonstrate this channel on the AWS cloud, showing that it is stealthy and noise resistant. Finally, we demonstrate Stream+Reload, a covert channel for transientexecution attacks that, on average, allows leaking 7.83 bytes within a transient window, improving state-of-the-art attacks that only leak up to 3 bytes.

show abstract

LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

Cited by 15 publications

References 10 publications

KASLR: Break It, Fix It, Repeat

KASLR: Break It, Fix It, Repeat

Swivel: Hardening WebAssembly against Spectre

Osiris: Automated Discovery of Microarchitectural Side Channels

Contact Info

Product

Resources

About