A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).

Supports:

• x86 (i386+, amd64)
• ARM (armv6, armv7, armv8)
• MIPS (mipsel, mips64el)

sudo apt install libc-dev make gcc git
git clone https://github.com/bcoles/kasld
cd kasld
./kasld

KASLD is written in C and structured for easy re-use. Each file in the ./src directory uses a different technique to retrieve or infer kernel addresses and can be compiled individually.

./kasld is a lazy shell script wrapper which simply builds and executes each of these files, offering a quick and easy method to check for address leaks on a target system. This script requires make.

Refer to output.md for example output from various distros.

A compiler which supports the _GNU_SOURCE macro is required.

Common default kernel config options are defined in src/kasld.h. The default values should work on most systems, but may need to be tweaked for the target system - especially old kernels, embedded devices (ie, armv7), or systems with a non-default memory layout.

Leaked addresses may need to be bit masked off appropriately for the target kernel, depending on kernel alignment. Once bitmasked, the address may need to be adjusted based on text offset, although on x86_64 and arm64 (since 2020-04-15) the text offset is zero.

The configuration options should be fairly self-explanatory. Refer to the comment headers in src/kasld.h:

https://github.com/bcoles/kasld/blob/31a89cec8f8b0e0198836ddb67d1aebd2edfa3f9/src/kasld.h#L5-L21

A single kernel pointer leak can be used to infer the location of the kernel virtual address space and offset of the kernel base address.

Prior to the introduction of Function Granular KASLR (aka "finer grained KASLR") in early 5.x kernels in 2020, the entire kernel code text was mapped with only the base address randomized.

Offsets to useful kernel functions (commit_creds, prepare_kernel_cred, native_write_cr4, etc) from the base address could be pre-calculated on other systems with the same kernel - an easy task for publicly available kernels (ie, distro kernels).

Offsets may also be retrieved from various file system locations (/proc/kallsyms, vmlinux, System.map, etc) depending on file system permissions. jonoberheide/ksymhunter automates this process.

FG KASLR "rearranges your kernel code at load time on a per-function level granularity" and can be enabled with the CONFIG_FG_KASLR flag. Following the introduction of FG KASLR, the location of kernel and module functions are independently randomized and no longer located at a constant offset from the kernel .text base.

This makes calculating offset to useful functions more difficult and renders kernel pointer leaks significantly less useful.

KASLD serves as a non-exhaustive collection and reference for address leaks useful in KASLR bypass; however, it is far from complete. There are many additional noteworthy techniques not included for various reasons.

Kernel and system logs (dmesg / syslog) offer a wealth of information, including kernel pointers.

Historically, raw kernel pointers were frequently printed to the kernel debug log without using %pK.

Bugs which trigger a kernel oops can be used to leak kernel pointers by reading the kernel debug log. There are countless examples. A few simple examples are available in the extra directory.

Modern distros ship with kernel.dmesg_restrict enabled by default to prevent unprivileged users from accessing the kernel debug log. grsecurity hardened kernels also support kernel.grsecurity.dmesg to prevent unprivileged access.

Various areas of DebugFS (/sys/kernel/debug/*) may disclose kernel pointers.

DebugFS is not readable by unprivileged users by default (since 2012-08-27). This change pre-dates Linux KASLR by 2 years. However, DebugFS may still be readable in some non-default configurations.

The extra/check-hardware-vulnerabilities script performs rudimentary checks for several known hardware vulnerabilities, but does not implement these techniques. There are a plethora of viable hardware-related attacks, listed below.

Practical Timing Side Channel Attacks Against Kernel Space ASLR (Ralf Hund, Carsten Willems, Thorsten Holz, 2013)

Micro architecture attacks on KASLR (Anders Fogh, 2016)

Microarchitectural Data Sampling (MDS) side-channel attacks:

• Fallout: Leaking Data on Meltdown-resistant CPUs (Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck, Yuval Yarom, 2019)
• vusec/ridl

EchoLoad: KASLR: Break It, Fix It, Repeat (Claudio Canella, Michael Schwarz, Martin Haubenwallner, 2020)

Prefetch side-channel attacks:

• Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR (Daniel Gruss, Clémentine Maurice, Anders Fogh, 2016)
• xairy/kernel-exploits/prefetch-side-channel (xairy, 2020)
• Fetching the KASLR slide with prefetch (Google Project Zero, 2022)
  • prefetch_poc.zip - Intel x86_64 CPUs with kPTI disabled (pti=off)
• EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543) (willsroot, 2022)
  • Intel x86_64 CPUs; AMD x86_64 CPUs with kPTI disabled (pti=off)

Transactional Synchronization eXtensions (TSX) side-channel timing attacks:

• TSX improves timing attacks against KASLR (Rafal Wojtczuk, 2014)
• vnik5287/kaslr_tsx_bypass

Branch Target Buffer (BTB) based side-channel attacks:

• Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
  • felixwilhelm/mario_baslr - Intel CPUs

Branch Target Injection (BTI) attacks:

• paboldin/meltdown-exploit
• speed47/spectre-meltdown-checker
• RETBLEED: Arbitrary Speculative Code Execution with Return Instructions
  • comsec-group/retbleed - Intel/AMD x86_64 CPUs

Translation Lookaside Buffer (TLB) side-channel attacks:

• TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs (Jakob Koschel, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi, 2020)
  • renorobert/tagbleedvmm

RAMBleed side-channel attack (CVE-2019-0174):

• RAMBleed
  • google/rowhammer-test

Patched bugs caught by KernelMemorySanitizer (KMSAN):

• https://github.com/torvalds/linux/search?p=1&type=Commits&q=BUG: KMSAN: kernel-infoleak
• git clone https://github.com/torvalds/linux && cd linux && git log | grep "BUG: KMSAN: kernel-infoleak"

Remote kernel pointer leak via IP packet headers (CVE-2019-10639):

• From IP ID to Device ID and KASLR Bypass.

show_floppy kernel function pointer leak (CVE-2018-7273) (requires floppy driver).

kernel_waitid leak (CVE-2017-14954) (affects kernels 4.13-rc1 to 4.13.4):

• wait_for_kaslr_to_be_effective.c.
• https://github.com/salls/kernel-exploits/blob/master/CVE-2017-5123/exploit_no_smap.c

Exploiting uninitialized stack variables:

• Leak kernel pointer by exploiting uninitialized uses in Linux kernel
• Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
• jinb-park/leak-kptr
• compat_get_timex kernel stack pointer leak (CVE-2018-11508).
• sctp_af_inet kernel pointer leak (CVE-2017-7558) (requires libsctp-dev).
• rtnl_fill_link_ifmap kernel stack pointer leak (CVE-2016-4486).
• snd_timer_user_params kernel stack pointer leak (CVE-2016-4569).

Leaking kernel addresses using msg_msg struct for arbitrary read (for KMALLOC_CGROUP objects):

• Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel | Alexander Popov
• CVE-2021-22555: Turning \x00\x00 into 10000$ | security-research
• Exploiting CVE-2021-43267 - Haxxin
• Will's Root: pbctf 2021 Nightclub Writeup: More Fun with Linux Kernel Heap Notes!
• Will's Root: corCTF 2021 Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel
• [corCTF 2021] Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel
• [CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver

Leaking kernel addresses using privileged arbitrary read (or write) in kernel space:

• https://ryiron.wordpress.com/2013/09/05/kptr_restrict-finding-kernel-symbols-for-shell-code/
• CVE-2017-18344: Exploiting an arbitrary-read vulnerability in the Linux kernel timer subsystem:
  • https://www.openwall.com/lists/oss-security/2018/08/09/6
  • https://xairy.io/articles/cve-2017-18344
  • xairy/kernel-exploits/CVE-2017-18344

• grsecurity - KASLR: An Exercise in Cargo Cult Security (grsecurity, 2013)
• Kernel Address Space Layout Randomization (LWN.net)
  • Kernel address space layout randomization [LWN.net]
  • Randomize kernel base address on boot [LWN.net]
  • arm64: implement support for KASLR [LWN.net]
• Function Granular KASLR (LWN.net)
  • https://lwn.net/Articles/811685/
  • https://lwn.net/Articles/824307/
  • https://lwn.net/Articles/826539/
  • https://lwn.net/Articles/877487/
• Linux Kernel Driver DataBase
  • CONFIG_RANDOMIZE_BASE: Randomize the address of the kernel image (KASLR)
  • CONFIG_RANDOMIZE_BASE_MAX_OFFSET: Maximum kASLR offset
  • CONFIG_RANDOMIZE_MEMORY: Randomize the kernel memory sections
  • CONFIG_RELOCATABLE: Build a relocatable kernel
• An Info-Leak Resistant Kernel Randomization for Virtualized Systems | IEEE Journals & Magazine | IEEE Xplore

• 0xAX/linux-insides
  • https://github.com/0xAX/linux-insides/tree/master/Initialization
  • https://github.com/0xAX/linux-insides/blob/master/Theory/linux-theory-1.md
  • https://github.com/0xAX/linux-insides/tree/master/MM
• Understanding the Linux Virtual Memory Manager (Mel Gorman, 2004)
• Linux Kernel Programming (2021, Kaiwan N Billimoria)

KASLD is MIT licensed but borrows heavily from modified third-party code snippets and proof of concept code.

Various code snippets were taken from third-parties and may have different license restrictions. Refer to the reference URLs in the comment headers available in each file for credits and more information.