Abstract
Kernel Address Space Layout Randomization (KASLR) has been repeatedly targeted by side-channel attacks that exploit a typical unified user/kernel address space organization to disclose randomized kernel addresses. The community has responded with kernel address space isolation techniques that separate user and kernel address spaces (and associated resources) to eradicate all existing side-channel attacks. In this paper, we show that kernel address space isolation is insufficient to harden KASLR against practical side-channel attacks on modern tagged TLB architectures. While tagged TLBs have been praised for optimizing the performance of kernel address space isolation, we show that they also silently break its original security guarantees and open up opportunities for new derandomization attacks. As a concrete demonstration, we present TagBleed, a new side-channel attack that abuses tagged TLBs and residual translation information to break KASLR even in the face of state-of-The-Art mitigations. TagBleed is practical and shows that implementing secure address space isolation requires deep partitioning of microarchitectural resources and a more generous performance budget than previously assumed.
| Original language | English |
|---|---|
| Title of host publication | 2020 IEEE European Symposium on Security and Privacy (EuroS&P) |
| Subtitle of host publication | [Proceedings] |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 309-321 |
| Number of pages | 13 |
| ISBN (Electronic) | 9781728150871 |
| ISBN (Print) | 9781728150888 |
| DOIs | |
| Publication status | Published - 2020 |
| Event | 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 - Virtual, Genoa, Italy Duration: 7 Sept 2020 → 11 Sept 2020 |
Conference
| Conference | 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 |
|---|---|
| Country/Territory | Italy |
| City | Virtual, Genoa |
| Period | 7/09/20 → 11/09/20 |
Funding
We would like to thank our anonymous reviewers for their feedback. We would also like to thank Ben Gras for his help with the project. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and No. 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by the Netherlands Organisation for Scientific Research through grants NWO 639.021.753, VENI “PantaRhei”, and NWO 016.Veni.192.262. This paper reflects only the authors’ view. The funding agencies are not responsible for any use that may be made of the information it contains.
Keywords
- n/a
