A TSX-based KASLR break : bypassing UMIP and descriptor-table exiting

Karvandi, Mohammad Sina; Khalaj Monfared, Saleh; Kiarostami, Mohammad Sina; Rahmati, Dara; Gorgin, Saeid

A TSX-based KASLR break : bypassing UMIP and descriptor-table exiting

Karvandi, Mohammad Sina; Khalaj Monfared, Saleh; Kiarostami, Mohammad Sina; Rahmati, Dara; Gorgin, Saeid (2022-04-09)

Avaa tiedosto

nbnfi-fe2022101161598.pdf (742.9Kt)

nbnfi-fe2022101161598_meta.xml (36.33Kt)

nbnfi-fe2022101161598_solr.xml (31.54Kt)

Lataukset:

URL:

https://doi.org/10.1007/978-3-031-02067-4_3

Karvandi, Mohammad Sina

Khalaj Monfared, Saleh

Kiarostami, Mohammad Sina

Rahmati, Dara

Gorgin, Saeid

Springer Nature

09.04.2022

Karvandi, M.S., Khalaj Monfared, S., Kiarostami, M.S., Rahmati, D., Gorgin, S. (2022). A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham. https://doi.org/10.1007/978-3-031-02067-4_3

https://rightsstatements.org/vocab/InC/1.0/
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG. This version of the article has been accepted for publication, after peer review (when applicable) and is subject to Springer Nature’s AM terms of use, but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: http://dx.doi.org/10.1007/978-3-031-02067-4_3
https://rightsstatements.org/vocab/InC/1.0/

doi:https://doi.org/10.1007/978-3-031-02067-4_3

Näytä kaikki kuvailutiedot

Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe2022101161598

Tiivistelmä

Abstract

In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to break the KASLR and reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep Intel’s User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, we demonstrate that a combination of this method with a call-gate mechanism (available in modern processors) in a chain of events will eventually lead to a system compromise despite the restrictions of a super-secure sandbox in the presence of Windows’s proprietary Virtualization Based Security (VBS). Finally, we suggest software-based mitigation to avoid these issues with an acceptable overhead cost.

Kokoelmat

Avoin saatavuus [37647]