Kernel Address Space Layout Derandomization [ KASLD ]
A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).
Supports:
- x86 (i386+, amd64)
- ARM (armv6, armv7, armv8)
- MIPS (mipsbe, mipsel, mips64el)
- PowerPC (ppc, ppc64)
- RISC-V (riscv32, riscv64)
Usage
sudo apt install libc-dev make gcc git
git clone https://github.com/bcoles/kasld
cd kasld
./kasld
KASLD is written in C and structured for easy re-use. Each file in the ./src
directory uses a different technique to retrieve or infer kernel addresses
and can be compiled individually.
./kasld
is a lazy shell script wrapper which simply builds and executes each
of these files, offering a quick and easy method to check for address leaks
on a target system. This script requires make
.
Refer to output.md for example output from various distros.
A compiler which supports the _DEFAULT_SOURCE
macro is required due to
use of non-portable code (MAP_ANONYMOUS
, getline()
, popen()
, ...).
Configuration
Common default kernel config options are defined in src/kasld.h. The default values should work on most systems, but may need to be tweaked for the target system - especially old kernels, embedded devices (ie, armv7), or systems with a non-default memory layout.
Leaked addresses may need to be bit masked off appropriately for the target kernel, depending on kernel alignment. Once bitmasked, the address may need to be adjusted based on text offset, although on x86_64 and arm64 (since 2020-04-15) the text offset is zero.
The configuration options should be fairly self-explanatory. Refer to the comment headers in src/kasld.h:
https://github.com/bcoles/kasld/blob/31a89cec8f8b0e0198836ddb67d1aebd2edfa3f9/src/kasld.h#L5-L21
Function Offsets
A single kernel pointer leak can be used to infer the location of the kernel virtual address space and offset of the kernel base address.
Prior to the introduction of Function Granular KASLR (aka "finer grained KASLR") in early 5.x kernels in 2020, the entire kernel code text was mapped with only the base address randomized.
Offsets to useful kernel functions (commit_creds
, prepare_kernel_cred
,
native_write_cr4
, etc) from the base address could be pre-calculated on other
systems with the same kernel - an easy task for publicly available kernels
(ie, distro kernels).
Offsets may also be retrieved from various file system locations (/proc/kallsyms
,
vmlinux
, System.map
, etc) depending on file system permissions.
jonoberheide/ksymhunter automates
this process.
FG KASLR "rearranges your kernel code at load time on a per-function level granularity"
and can be enabled with the CONFIG_FG_KASLR flag.
Following the introduction of FG KASLR, the location of kernel and module functions
are independently randomized and no longer located at a constant offset from the
kernel .text
base.
On systems which support FG KASLR (x86_64 and arm64 as of 2023), this makes calculating offsets to useful functions more difficult and renders kernel pointer leaks significantly less useful.
However, some regions of the kernel are not randomized (such as symbols before
__startup_secondary_64
on x86_64) and offsets remain consistent across reboots.
Additionally, FG KASLR randomizes only kernel functions, leaving other useful
kernel data (such as modprobe_path)
unchanged at a static offset.
Addendum
KASLD serves as a non-exhaustive collection and reference for address leaks useful in KASLR bypass; however, it is far from complete. There are many additional noteworthy techniques not included for various reasons.
System Logs
Kernel and system logs (dmesg
/ syslog
) offer a wealth of information, including
kernel pointers.
Historically, raw kernel pointers were frequently printed to the system log
without using the %pK
printk format.
Several KASLD components search the kernel ring buffer for kernel addresses.
Refer to dmesg_*
files in the src directory.
Bugs which trigger a kernel oops can be used to leak kernel pointers by reading
the system log (on systems with kernel.panic_on_oops = 0
).
There are countless examples. A few simple examples are available in the extra directory:
Most modern distros ship with kernel.dmesg_restrict
enabled by default to
prevent unprivileged users from accessing the kernel debug log. Similarly,
grsecurity hardened kernels support kernel.grsecurity.dmesg
to prevent
unprivileged access.
System log files (ie, /var/log/syslog
) are readable only by privileged users
on modern distros. On Debian/Ubuntu systems, users in the adm
group also have
read permissions on various system log files in /var/log/
. Typically the first
user created on an Ubuntu system is a member of the adm
group.
Several KASLD components read from /var/log/syslog
.
Refer to syslog_*
files in the src directory.
Similarly, the /var/log/dmesg
log file may be readable by low privileged users,
regardless of whether dmesg_restrict
is enabled. Additionally,
an initscript bug
present from 2017-2019 caused this file to be generated with 644
world-readable
permissions and may still be world-readable on some systems.
The kasld
wrapper script includes a check for readable log files, including
/var/log/dmesg
, but does not use this technique.
DebugFS
Various areas of DebugFS
(/sys/kernel/debug/*
) may disclose kernel pointers.
DebugFS is no longer readable by unprivileged users by default
since kernel version v3.7-rc1~174^2~57
on 2012-08-27.
This change pre-dates Linux KASLR by 2 years. However, DebugFS may still be readable in some non-default configurations.
Hardware Bugs
The extra/check-hardware-vulnerabilities script performs rudimentary checks for several known hardware vulnerabilities, but does not implement these techniques.
There are a plethora of viable hardware-related attacks which can be used to break KASLR, in particular timing side-channels and transient execution attacks.
Practical Timing Side Channel Attacks Against Kernel Space ASLR (Ralf Hund, Carsten Willems, Thorsten Holz, 2013)
Micro architecture attacks on KASLR (Anders Fogh, 2016)
PLATYPUS: Software-based Power Side-Channel Attacks on x86 (Moritz Lipp, Andreas Kogler, David Oswald†, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss, 2020)
LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection (Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens, 2020)
Hardening the Kernel Against Unprivileged Attacks (Claudio Canella, 2022)
Microarchitectural Data Sampling (MDS) side-channel attacks:
- Fallout: Leaking Data on Meltdown-resistant CPUs (Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck, Yuval Yarom, 2019)
- https://github.com/wbowling/cpu.fail/blob/master/zombieload_kaslr.c (wbowling, 2019)
- RIDL: Rogue In-Flight Data Load (Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida, 2019)
- vusec/ridl - Intel CPUs (VUSec, 2019)
- ZombieLoad:
EchoLoad:
- KASLR: Break It, Fix It, Repeat (Claudio Canella, Michael Schwarz, Martin Haubenwallner, 2020)
- Store-to-Leak Forwarding: There and Back Again (Claudio Canella, Lukas Giner, Michael Schwarz, 2020)
Data Bounce:
- Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs (Michael Schwarz, Claudio Canella, Lukas Giner, Daniel Gruss, 2019)
Prefetch side-channel attacks:
- Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR (Daniel Gruss, Clémentine Maurice, Anders Fogh, 2016)
- xairy/kernel-exploits/prefetch-side-channel (xairy, 2020)
- Using Undocumented CPU Behaviour to See into Kernel Mode and Break KASLR in the Process (Anders Fogh, Daniel Gruss, 2016)
- Blackhat USA 2015 Video: https://www.youtube.com/watch?v=Pwq0vv4X7m4 (Anders Fogh, Daniel Gruss, 2015)
- Fetching the KASLR slide with prefetch (Seth Jenkins, 2022)
- prefetch_poc.zip - Intel x86_64 CPUs with kPTI disabled (
pti=off
)
- prefetch_poc.zip - Intel x86_64 CPUs with kPTI disabled (
- EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543) (willsroot, 2022)
- Intel x86_64 CPUs; AMD x86_64 CPUs with kPTI disabled (
pti=off
)
- Intel x86_64 CPUs; AMD x86_64 CPUs with kPTI disabled (
Straight-line Speculation (SLS):
- The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341) (Pawel Wieczorkiewicz, 2022)
- Straight-line Speculation Whitepaper (ARM, 2020)
Transactional Synchronization eXtensions (TSX) side-channel timing attacks:
- TSX improves timing attacks against KASLR (Rafal Wojtczuk, 2014)
- DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX (Yeongjin Jang, Sangho Lee, Taesoo Kim, 2016)
- vnik5287/kaslr_tsx_bypass (Vitaly Nikolenko, 2017)
Branch Target Buffer (BTB) based side-channel attacks:
- Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR (Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh, 2016)
- felixwilhelm/mario_baslr - Intel CPUs (Felix Wilhelm, 2016)
Transient Execution / Speculative Execution:
- The transient.fail website offers a good overview of speculative execution / transient execution attacks.
- A Systematic Evaluation of Transient Execution Attacks and Defenses (Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin3, Daniel Gruss, 2019)
- Meltdown
- Meltdown: Reading Kernel Memory from User Space (Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, 2018)
- USENIX Security 2018 Video: https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
- paboldin/meltdown-exploit
- IAIK/meltdown
- https://github.com/IAIK/transientfail/tree/master/pocs/meltdown
- Spectre Attacks: Exploiting Speculative Execution (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, 2018)
- Reading privileged memory with a side-channel (Jann Horn, 2018)
- speed47/spectre-meltdown-checker
- VDSO As A Potential KASLR Oracle (Philip Pettersson, Alex Radocea, 2021)
- RETBLEED: Arbitrary Speculative Code Execution with Return Instructions (Johannes Wikner, Kaveh Razavi, 2022)
- comsec-group/retbleed - Intel/AMD x86_64 CPUs
TagBleed: Tagged Translation Lookaside Buffer (TLB) side-channel attacks:
- TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs (Jakob Koschel, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi, 2020)
- renorobert/tagbleedvmm (Reno Robert, 2020)
RAMBleed side-channel attack (CVE-2019-0174):
- RAMBleed: Reading Bits in Memory Without Accessing Them (Andrew Kwong, Daniel Genkin, Daniel Gruss, Yuval Yarom, 2019)
- google/rowhammer-test (Google, 2015)
Kernel Info Leaks
Patched bugs caught by KernelMemorySanitizer (KMSAN):
- https://github.com/torvalds/linux/search?p=1&type=Commits&q=BUG: KMSAN: kernel-infoleak
git clone https://github.com/torvalds/linux && cd linux && git log | grep "BUG: KMSAN: kernel-infoleak"
Netfilter info leak (CVE-2022-1972):
Remote kernel pointer leak via IP packet headers (CVE-2019-10639):
show_floppy kernel function pointer leak (CVE-2018-7273) (requires floppy
driver).
kernel_waitid
leak (CVE-2017-14954) (affects kernels 4.13-rc1 to 4.13.4):
- wait_for_kaslr_to_be_effective.c (spender, 2017)
- https://github.com/salls/kernel-exploits/blob/master/CVE-2017-5123/exploit_no_smap.c (salls, 2017)
snd_timer_user_read
uninitialized kernel heap memory disclosure (CVE-2017-1000380):
- Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (Alexander Potapenko, 2017)
- snd_timer_c.bin (Alexander Potapenko, 2017)
Exploiting uninitialized stack variables:
- Leak kernel pointer by exploiting uninitialized uses in Linux kernel
- Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
- jinb-park/leak-kptr
- compat_get_timex kernel stack pointer leak (CVE-2018-11508).
- sctp_af_inet kernel pointer leak (CVE-2017-7558) (requires
libsctp-dev
). - rtnl_fill_link_ifmap kernel stack pointer leak (CVE-2016-4486).
- snd_timer_user_params kernel stack pointer leak (CVE-2016-4569).
Kernel Bugs
Leaking kernel addresses using msg_msg
struct for arbitrary read (for KMALLOC_CGROUP
objects):
- Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel | Alexander Popov
- CVE-2021-22555: Turning \x00\x00 into 10000$ | security-research
- Exploiting CVE-2021-43267 - Haxxin
- Will's Root: pbctf 2021 Nightclub Writeup: More Fun with Linux Kernel Heap Notes!
- Will's Root: corCTF 2021 Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel
- [corCTF 2021] Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel
- [CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver
Leaking kernel addresses using privileged arbitrary read (or write) in kernel space:
- kptr_restrict – Finding kernel symbols for shell code (ryiron, 2013)
- CVE-2017-18344: Exploiting an arbitrary-read vulnerability in the Linux kernel timer subsystem (xairy, 2017):
KASLR Slide Randomness
Another look at two Linux KASLR patches (Kryptos Logic, 2020)
References
Linux KASLR
- grsecurity - KASLR: An Exercise in Cargo Cult Security (grsecurity, 2013)
- Kernel Address Space Layout Randomization (LWN.net)
- Function Granular KASLR (LWN.net)
- Linux Kernel Driver DataBase
- An Info-Leak Resistant Kernel Randomization for Virtualized Systems | IEEE Journals & Magazine | IEEE Xplore
Linux Memory Management
- 0xAX/linux-insides
- Understanding the Linux Virtual Memory Manager (Mel Gorman, 2004)
- Linux Kernel Programming (2021, Kaiwan N Billimoria)
License
KASLD is MIT licensed but borrows heavily from modified third-party code snippets and proof of concept code.
Various code snippets were taken from third-parties and may have different license restrictions. Refer to the reference URLs in the comment headers available in each file for credits and more information.