LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization

AuthorArias, Orlando; Gens, David; Jin, Yier; Liebchen, Christopher; Sadeghi, Ahmad-Reza; Sullivan, Dean
TypeConference Proceedings
AbstractKernel exploits are most commonly used for privilege escalation to take full control over a system, e.g., by conducting a code-reuse attack. For this reason modern kernels are hardened with Kernel Address Space Layout Randomization (KASLR), which randomizes the start address of the kernel code section at boot time. Hence, the attacker first has to bypass the randomization, to conduct the attack using an adjusted payload in a second step. Recently, researchers demonstrated that attackers can use unprivileged instructions to access timing side channels through the paging subsystem of the processor. This can be exploited to reveal the randomization secret, even in the absence of any information-disclosure vulnerabilities in the software. In this paper we present LAZARUS, a novel technique to harden KASLR against paging-based side-channel attacks. In particular, our scheme allows for fine-grained protection of the virtual memory mappings that implement the randomization. We demonstrate the effectiveness of our approach by hardening a recent Linux kernel with LAZARUS, mitigating all of the previously presented side-channel attacks on KASLR. Our extensive evaluation shows that LAZARUS incurs only 0.943% overhead for standard benchmarks, and is therefore highly practical.
In20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2017)