Paper 2022/1129

Breaking KASLR on Mobile Devices without Any Use of Cache Memory

Milad Seddigh, Shahid Beheshti University
Mahdi Esfahani, Sharif University of Technology
Sarani Bhattacharya, IMEC, Belgium
Mohammad Reza Aref, Sharif University of Technology
Hadi Soleimany, Shahid Beheshti University
Abstract

Microarchitectural attacks utilize the performance optimization constructs that have been studied over decades in computer architecture research and show the vulnerability of such optimizations in a realistic framework. One such highly performance driven vulnerable construct is speculative execution. In this paper, we focus on the problem of breaking the kernel address-space layout randomization (KASLR) on modern mobile devices without using cache memory as a medium of observation. However, there are some challenges to breaking KASLR on ARM CPUs. The first challenge is that eviction strategies on ARM CPUs are slow, and the microarchitectural attacks exploiting the cache as a covert channel cannot be implemented on modern ARM CPUs. The second challenge is that non-canonical addresses are stored in the store buffer, although they are invalid. As a result, previous microarchitectural attacks distinguish such addresses as valid kernel addresses erroneously. In this paper, we focus on these challenges to close current gaps in the implementation of recent attacks against modern CPUs. We show how a Translation Look-aside Buffer (TLB) can be used to circumvent the cache memory as a covert channel in order to attack ASLR on both ARM and Intel CPUs. To the best of our knowledge, we are the first to break KASLR on ARM-based Android and iOS mobile devices. Furthermore, our attacks can be performed in JavaScript to break KASLR of the browser without the need for an Evict+Reload operation, which consumes a lot of time. The results of our attacks show that the attacker can distinguish whether or not the virtual address is valid in less than 0.0417 seconds and 0.0488 seconds on Android and iOS mobile devices, respectively.

Metadata
Available format(s)
-- withdrawn --
Publication info
Published elsewhere. ASHES 2022
Keywords
Speculative execution Non-canonical addresses KASLR
Contact author(s)
milladseddigh7 @ gmail com
m esfahani @ sharif edu
Sarani Bhattacharya @ imec be
hadi soleimany @ gmail com
History
2022-11-13: withdrawn
2022-08-30: received
See all versions
Short URL
https://ia.cr/2022/1129
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.