/DrK

The DrK Attack - Proof of concept

Primary LanguagePythonMIT LicenseMIT

The DrK (De-randomizing Kernel ASLR) attack

DrK is an attack that breaks kernel address space layout randomization (KASLR) by exploiting TLB and decoded i-cache side channel. To reliably exploit the side channels, the DrK attack took advantage of Intel TSX (Transactional Synchronization eXtension). One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turns this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged kernel address space. Since such behavior is on the hardware level, DrK is universally applicable to all OSes, even in virtualized environments, and generates no visible footprint, making it difficult to detect in practice. Therefore, DrK can break the KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second.

More details

Demo

Timing (click the image to watch the video)

[Timing Demo] (https://www.youtube.com/watch?v=NdndV_cMJ8k)

Full attack on Linux (click the image to watch the video)

[Full attack on Linux] (https://www.youtube.com/watch?v=WXGCylmAZkA)

Build

Run make on the directory of this repository.

Example: Timing demo

Run cd timing; ./timing_demo.py



Example: Breaking KASLR in Linux

Run cd linux; ./run-drk-attack.py


Contributors