Method of Timing Attack for Linux Against KASLR

doi:10.19678/j.issn.1000-3428.0058582

Abstract

Abstract: For Linux systems with Kernel Address Space Layout Randomization(KASLR) protection, this paper proposes a Cache instant attack method based on CPU prefetch instruction. When the prefetch instructions of Intel CPU prefetch data that is not mapped to physical address, a Cache failure will occur, resulting in the consumption of CPU clock cycles longer than the data mapped to physical address. According to this feature, the CPU clock cycle consumption is obtained by using the rdtscp instruction, and the protection of KASLR technology is bypassed by using timing attacks, so as to accurately obtain the Offset of kernel address mapping. Experimental results show that this attack method can bypass the KASLR protection of Linux operating system to obtain the accurate mapping location of kernel address, and avoid causing a large number of Cache failures.

Key words: Kernel Address Space Layout Randomization (KASLR), prefetch instruction, timing attack, kernel, Cache miss

摘要： 针对开启内核地址空间布局随机化（KASLR）防护的Linux系统，提出一种基于CPU预取指令的Cache计时攻击方法。Intel CPU的预取指令在预取未映射到物理地址的数据时会发生Cache失效，导致消耗的CPU时钟周期比已映射到物理地址的数据要长。根据这一特点，通过rdtscp指令获取CPU时钟周期消耗，利用计时攻击绕过KASLR技术防护，从而准确获取内核地址映射的Offset。实验结果表明，该攻击方法能够绕过Linux操作系统的KASLR防护，获得准确的内核地址映射位置，并且避免引起大量Cache失效。

关键词: 内核地址空间布局随机化, 预取指令, 计时攻击, 内核, Cache失效

CLC Number:

TP309.7

CONG Mou, ZHANG Ping, WANG NING. Method of Timing Attack for Linux Against KASLR[J]. Computer Engineering, 2021, 47(8): 177-182.

丛眸, 张平, 王宁. 针对KASLR的Linux计时攻击方法[J]. 计算机工程, 2021, 47(8): 177-182.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0058582

http://www.ecice06.com/EN/Y2021/V47/I8/177

Figures/Tables 6

References

[1] GUILLAUME D, DOGET J, PROUFF E.A new second-order side channel attack based on linear regression[J]. IEEE Transactions on Computers, 2013, 62(8): 1629-1640.
[2] BERNSTEIN D J.Cache-timing attacks on AES[C]//Proceedings of IEEE Computer Society Annual Symposium on VLSI:New Frontiers in VLSI Design.Washington D.C., USA:IEEE Press, 2005:218-221.
[3] ANDREOU A, BOGDANOV A, TISCHHAUSER E.Cache timing attacks on recent microarchitec-tures[C]//Proceedings of IEEE International Symposium on Hardware Oriented Security and Trust.Washington D.C., USA:IEEE Press, 2017:155-155.
[4] LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown[EB/OL]. (2018-04-10)[2020-05-10]. https://meltdownattack.com/meltdown.pdf.
[5] KOCHER P, HORN J, FOGH A, et al. Spectre attacks:exploiting speculative execution[J]. Communications of the ACM, 2020, 63(7): 93-101.
[6] DMITRY E, PONOMAREV D, ABUGHAZALEH N B.Jump over ASLR:attacking branch predictors to bypass ASLR[C]//Proceedings of the 49th Annual IEEE/ACM International Symposium on Microarchitecture.Washington D.C., USA:IEEE Press, 2016:1-13.
[7] RALF H, WILLEMS C, HOLZ T.Practical timing side channel attacks against kernel space ASLR[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C., USA:IEEE Press, 2013:1-5.
[8] CANELLA C, SUNAR B, van BULCK J, et al. Fallout:leaking data on meltdown-resistant CPUs[C]//Proceedings of ACM SIGSAC Conference.New York, USA:ACM Press, 2019:769-784.
[9] GAUR J, CHAUDHURI M, SUBRAMONEY S.Bypass and insertion algorithms for exclusive last-level caches[J]. ACM SIGARCH Computer Architecture News, 2011, 39(3): 81-92.
[10] GREEN M, RODRIGUESLIMA L, ZANKL A, et al. AutoLock:why cache attacks on arm are harder than you think[C]//Proceedings of the 26th USENIX Security Symposium.Vancouver, Canada:USENIX Association, 2017:1075-1091.
[11] REINBRECHT C, SUSIN A, BOSSUET L, et al. Side channel attack on NoC-based MPSoCs are practical:NoC Prime+Probe attack[C]//Proceedings of Symposium on Integrated Circuits and Systems Design:Chip on the Mountains.Natal, Brazil:SBCCI, 2016:1-6.
[12] YAROM Y, FALKNER K.FLUSH+RELOAD:a high resolution, low noise, L3 cache side-channel attack[C]//Proceedings of USENIX Security Symposium.[S.l.]:USENIX Association, 2014:1-5.
[13] LU B G, INCI M S, IRAZOQUI G, et al. A faster and more realistic flush+reload attack on AES[C]//Proceedings of International Workshop on Constructive Side-Channel Analysis and Secure Design.Berlin, Germany:Springer, 2015:1-5.
[14] 周平, 王韬, 张帆, 等. SM2签名算法flush-reload cache计时攻击[J]. 华中科技大学学报(自然科学版), 2018, 46(3): 24-29. ZHOU P, WANG T, ZHANG F, et al. Flush-reload cache timing attack on SM2 digital signature algorithm[J]. Journal of Huazhong University of Science and Technology(Natural Science Edition), 2018, 46(3): 24-29.(in Chinese)
[15] BRASSER F, MÜLLER U, DMITRIENKO A, et al. Software grand exposure:SGX cache attacks are practical[J]. USENIX Workshop on Offensive Technologies, 2017, 9(2): 54-70.
[16] GRUSS D, SPREITZER R, MANGARD S.Cache template attacks:automating attacks on inclusive last-level caches[C]//Proceedings of USENIX Conference on Security Symposium.[S.l.]:USENIX, 2015:897-912.
[17] GRUSS D, MAURICE C, WAGNER K.Flush+Flush:a stealthier last-level cache attack[J]. Computer Science, 2015, 6(3).279-299.
[18] 赵新杰, 王韬, 郭世泽, 等. AES访问驱动Cache计时攻击[J]. 软件学报, 2011, 22(3): 572-591. ZHAO X J, WANG T, GUO S T, et al. Access driven cache timing attack against AES[J]. Journal of Software, 2011, 22(3): 572-591.(in Chinese)
[19] 孙玉强, 王文闻, 巢碧霞, 等. 基于预取的Cache替换策略[J]. 微电子学与计算机, 2017, 34(1): 85-89, 94 SUN Y Q, WANG W W, CHAO B X, et al. Cache replacement policy based on prefetch[J]. Microelectronics & Computer, 2017, 34(1): 85-89, 94.(in Chinese)
[20] 苗新亮, 蒋烈辉, 常瑞.访问驱动下的Cache侧信道攻击研究综述[J]. 计算机研究与发展, 2020, 57(4): 824-835. MIAO X L, JIANG L H, CHANG D.Survey of access-driven cache-based side channel attack[J]. Journal of Computer Research and Development, 2020, 57(4): 824-835.(in Chinese)

Please choose a citation manager

Content to export