In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to break the KASLR and reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep Intel’s User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, we demonstrate that a combination of this method with a call-gate mechanism (available in modern processors) in a chain of events will eventually lead to a system compromise despite the restrictions of a super-secure sandbox in the presence of Windows’s proprietary Virtualization Based Security (VBS). Finally, we suggest software-based mitigation to avoid these issues with an acceptable overhead cost.
CITATION STYLE
Karvandi, M. S., Khalaj Monfared, S., Kiarostami, M. S., Rahmati, D., & Gorgin, S. (2022). A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 13204 LNCS, pp. 38–54). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-02067-4_3
Mendeley helps you to discover research relevant for your work.