A TSX-based KASLR break : bypassing UMIP and descriptor-table exiting
Karvandi, Mohammad Sina; Khalaj Monfared, Saleh; Kiarostami, Mohammad Sina; Rahmati, Dara; Gorgin, Saeid (2022-04-09)
Karvandi, M.S., Khalaj Monfared, S., Kiarostami, M.S., Rahmati, D., Gorgin, S. (2022). A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham. https://doi.org/10.1007/978-3-031-02067-4_3
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG. This version of the article has been accepted for publication, after peer review (when applicable) and is subject to Springer Nature’s AM terms of use, but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: http://dx.doi.org/10.1007/978-3-031-02067-4_3
https://rightsstatements.org/vocab/InC/1.0/
https://urn.fi/URN:NBN:fi-fe2022101161598
Tiivistelmä
Abstract
In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to break the KASLR and reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep Intel’s User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, we demonstrate that a combination of this method with a call-gate mechanism (available in modern processors) in a chain of events will eventually lead to a system compromise despite the restrictions of a super-secure sandbox in the presence of Windows’s proprietary Virtualization Based Security (VBS). Finally, we suggest software-based mitigation to avoid these issues with an acceptable overhead cost.
Kokoelmat
- Avoin saatavuus [32049]