EntryBleed: A Universal KASLR Bypass against KPTI on Linux

Author(s)
Liu, WilliamRavichandran, JosephYan, Mengjia
Thumbnail
Download3623652.3623669.pdf (3.499Mb)
Publisher with Creative Commons License
Terms of use
Creative Commons Attribution Noncommercial https://creativecommons.org/licenses/by-nc/4.0/
Metadata
Show full item record
Abstract
For years, attackers have compromised systems by developing exploits that rely on known locations of kernel code and data segments. KASLR (Kernel Address Space Layout Randomization) is a key mitigation in modern operating systems which hampers these attacks through runtime randomization of the kernel image base address. KPTI (Kernel Page Table Isolation) is another defense mechanism, originally introduced to defend against the 2018 Meltdown attack by unmapping kernel addresses during user code execution. This security mechanism makes it harder for attackers to leak kernel address mappings through micro-architectural side channels. However, a few pages for system call and interrupt handling were exempted from isolation for the sake of user to kernel context transitions. We present the EntryBleed vulnerability (CVE-2022-4543) as a universal bypass against the KASLR protection mechanism through a combination of micro-architectural side channels and design flaws in the KPTI mitigation on Intel CPUs. We demonstrate that the bug we identified can accurately de-randomize the kernel address space within a second on modern Intel CPUs in both physical host and hardware-accelerated virtual machine environments. We then provide a root cause analysis to locate the core micro-architectural behaviors that enable EntryBleed, both on physical and under virtualized environments. Furthermore, we propose a performant mitigation based closely upon a pre-existing KASLR hardening mechanism. If left unpatched, attackers will be able to easily bypass KASLR, greatly lowering the barrier for exploit development and increasing the risk of serious threats against the Linux operating system.
Date issued
2023-10-29
URI
https://hdl.handle.net/1721.1/152917
Department
Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory
Publisher
ACM|Hardware and Architectural Support for Security and Privacy 2023
Citation
Liu, William, Ravichandran, Joseph and Yan, Mengjia. 2023. "EntryBleed: A Universal KASLR Bypass against KPTI on Linux."
Version: Final published version
ISBN
979-8-4007-1623-2
Collections

The following license files are associated with this item: