A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

by   Mohammad Sina Karvandi, et al.

Nowadays, in operating systems, numerous protection mechanisms prevent or limit the user-mode applications to access the kernel's internal information. This is regularly carried out by software-based defenses such as Address Space Layout Randomization (ASLR) and Kernel ASLR (KASLR). They play pronounced roles when the security of sandboxed applications such as Web-browser are considered. Armed with arbitrary write access in the kernel memory, if these protections are bypassed, an attacker could find a suitable Where to Write in order to get an elevation of privilege or maliciously execute codes in ring 0. In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel attacks to reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, an attack could be executed to sidestep the Intel's User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced attack is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, the implementation of the proposed attack on different platforms, including the latest releases of Microsoft Windows, Linux, and, Mac OSX with the latest 9^th generation of Intel processors, shows that the attack is independent of the Operating System implementation. We demonstrate that a combination of this method with call-gate mechanism (available in modern processors) in a chain of attacks will eventually lead to a full system compromise despite the limitations of a super-secure sandboxed environment in the presence of Windows's proprietary Virtualization Based Security (VBS). Finally, we suggest the software-based mitigation to avoid these attacks with an acceptable cost.


page 1

page 3


AVX Timing Side-Channel Attacks against Address Space Layout Randomization

Modern x86 processors support an AVX instruction set to boost performanc...

Fallout: Reading Kernel Writes From User Space

Recently, out-of-order execution, an important performance optimization ...

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel

Windows OS kernel memory is one of the main targets of cyber-attacks. By...

Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again

The security of a computer system depends on OS kernel protection. It is...


The security of computer systems fundamentally relies on memory isolatio...

The Heisenberg Defense: Proactively Defending SGX Enclaves against Page-Table-Based Side-Channel Attacks

Protected-module architectures (PMAs) have been proposed to provide stro...

Remote Memory-Deduplication Attacks

Memory utilization can be reduced by merging identical memory blocks int...

Please sign up or login with your details

Forgot password? Click here to reset