About the Speaker

In this talk, we present two timing side-channel attacks that derandomize the locations of security-critical kernel objects in the latest Linux kernel, one software-induced and one hardware-induced. Both attacks reveal memory layout information, a crucial prerequisite for most modern kernel exploits.
 

The first attack exploits timing differences when accessing kernel hash tables, leveraging their specific indexing behavior. This is the first side-channel attack on the Linux kernel that enables location disclosure on the kernel heap.
 

The second attack targets the Translation Lookaside Buffer (TLB), a CPU cache that stores virtual-to-physical address mappings. By combining TLB leakage with precise kernel memory manipulation, we are able to leak the locations of critical kernel objects, including kernel heap allocations, page tables, and the kernel stack.
 

We provide an in-depth root cause analysis of these side channels. For the software-induced attack, we show how the design of kernel hash tables inherently enables the leakage. For the hardware-induced attack, we demonstrate how certain kernel defense mechanisms and allocator behaviors unintentionally facilitate the exploit.
 

Finally, we present an end-to-end attack in which an unprivileged user can leak the locations of most security-critical kernel objects on an up-to-date Ubuntu Linux kernel.

I am a PhD candidate at the ISEC - Institute of Information Security (former IAIK) at the Graz University of Technology under the supervision of Stefan Mangard. I focus on system security, especially kernel and side-channel security.