{"id":15003673,"url":"https://github.com/bcoles/kasld","last_synced_at":"2025-04-05T10:10:18.756Z","repository":{"id":65553912,"uuid":"230851723","full_name":"bcoles/kasld","owner":"bcoles","description":"Kernel Address Space Layout Derandomization (KASLD) - A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).","archived":false,"fork":false,"pushed_at":"2024-04-13T10:14:16.000Z","size":664,"stargazers_count":436,"open_issues_count":0,"forks_count":47,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-03-29T09:12:24.302Z","etag":null,"topics":["kaslr","kernel","kernel-exploit","linux","linux-kaslr","linux-kernel"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bcoles.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-30T05:12:39.000Z","updated_at":"2025-03-20T02:45:44.000Z","dependencies_parsed_at":"2024-01-20T08:20:21.779Z","dependency_job_id":"3a377932-146b-4b82-a87f-78097ec218e6","html_url":"https://github.com/bcoles/kasld","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkasld","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkasld/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkasld/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkasld/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bcoles","download_url":"https://codeload.github.com/bcoles/kasld/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247318745,"owners_count":20919484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kaslr","kernel","kernel-exploit","linux","linux-kaslr","linux-kernel"],"created_at":"2024-09-24T19:00:08.002Z","updated_at":"2025-04-05T10:10:18.739Z","avatar_url":"https://github.com/bcoles.png","language":"C","readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"logo.png\" alt=\"KASLD logo generated with Stable Diffusion (modified)\"/\u003e\n\u003c/p\u003e\n\n# Kernel Address Space Layout Derandomization (KASLD)\n\nA collection of various techniques to infer the Linux kernel base virtual\naddress as an unprivileged local user, for the purpose of bypassing Kernel\nAddress Space Layout Randomization (KASLR).\n\nSupports:\n\n* x86 (i386+, amd64)\n* ARM (armv6, armv7, armv8)\n* MIPS (mipsbe, mipsel, mips64el)\n* PowerPC (ppc, ppc64)\n* RISC-V (riscv32, riscv64)\n* LoongArch (loongarch64)\n\n\n## Usage\n\n```\nsudo apt install libc-dev make gcc binutils git\ngit clone https://github.com/bcoles/kasld\ncd kasld\n./kasld\n```\n\nKASLD is written in C and structured for easy re-use. Each file in the `./src`\ndirectory uses a different technique to retrieve or infer kernel addresses\nand can be compiled individually.\n\n`./kasld` is a lazy shell script wrapper which simply builds and executes each\nof these files, offering a quick and easy method to check for address leaks\non a target system. This script requires `make`.\n\nRefer to [output.md](output.md) for example output from various distros.\n\n## Building\n\nA compiler which supports the `_GNU_SOURCE` macro is required due to\nuse of non-portable code (`MAP_ANONYMOUS`, `getline()`, `popen()`, ...).\n\nKASLD components can be cross-compiled with `make` by specfying the approriate\ncompiler (`CC`) with `LDFLAGS=-static`. For example:\n\n```\nmake CC=aarch64-linux-musl-gcc LDFLAGS=-static\n```\n\n\n## Configuration\n\nCommon default kernel config options are defined in [kasld.h](src/include/kasld.h).\nThe default values should work on most systems, but may need to be tweaked for\nthe target system - especially old kernels, embedded devices (ie, armv7), or\nsystems with a non-default memory layout.\n\nLeaked addresses may need to be bit masked off appropriately for the target kernel,\ndepending on kernel alignment. Once bitmasked, the address may need to be adjusted\nbased on text offset, although on x86_64 and arm64 (since 2020-04-15) the text\noffset is zero.\n\nThe configuration options should be fairly self-explanatory.\nRefer to the comment headers in [kasld.h](src/include/kasld.h):\n\nhttps://github.com/bcoles/kasld/blob/5ae25b8367ac511b1caac6c34666f4c76b3face6/src/include/kasld.h#L5-L25\n\n\n## Function Offsets\n\nAs the entire kernel code text is mapped with only the base address randomized,\na single kernel pointer leak can be used to infer the location of the kernel\nvirtual address space and offset of the kernel base address.\n\nOffsets to useful kernel functions (`commit_creds`, `prepare_kernel_cred`,\n`native_write_cr4`, etc) from the base address can be pre-calculated on other\nsystems with the same kernel - an easy task for publicly available kernels\n(ie, distro kernels).\n\nOffsets may also be retrieved from various file system locations (`/proc/kallsyms`,\n`vmlinux`, `System.map`, etc) depending on file system permissions.\n[jonoberheide/ksymhunter](https://github.com/jonoberheide/ksymhunter) automates\nthis process.\n\n\n## Function Granular KASLR (FG-KASLR)\n\nFunction Granular KASLR (aka \"finer grained KASLR\") patches for the 5.5.0-rc7\nkernel were [proposed in February 2020](https://lwn.net/Articles/811685/)\n(but have not been merged as of 2024-01-01).\n\nThis optional non-mainline mitigation [\"rearranges your kernel code at load time on a per-function level granularity\"](https://lwn.net/Articles/811685/)\nand can be enabled with the [CONFIG_FG_KASLR](https://patchwork.kernel.org/project/linux-hardening/patch/20211223002209.1092165-8-alexandr.lobakin@intel.com/) flag.\n\nFG-KASLR ensures the location of kernel and module functions are independently\nrandomized and no longer located at a constant offset from the kernel `.text`\nbase.\n\nOn systems which support FG-KASLR patches (x86_64 from 2020, arm64 from 2023),\nthis makes calculating offsets to useful functions more difficult and renders\nkernel pointer leaks significantly less useful.\n\nHowever, some regions of the kernel are not randomized (such as symbols before\n`__startup_secondary_64` on x86_64) and offsets remain consistent across reboots.\nAdditionally, FG-KASLR randomizes only kernel functions, leaving other useful\nkernel data (such as [modprobe_path](https://sam4k.com/like-techniques-modprobe_path/)\nand `core_pattern` usermode helpers) unchanged at a static offset.\n\n\n## Addendum\n\nKASLD serves as a non-exhaustive collection and reference for techniques\nuseful in KASLR bypass; however, it is far from complete. There are many\nadditional noteworthy techniques not included for various reasons.\n\n\n### System Logs\n\nKernel and system logs (`dmesg` / `syslog`) offer a wealth of information, including\nkernel pointers and the layout of virtual and physical memory.\n\nSeveral KASLD components search the kernel message ring buffer for kernel addresses.\nThe following KASLD components read from `dmesg` and `/var/log/dmesg`:\n\n* [dmesg_android_ion_snapshot.c](src/dmesg_android_ion_snapshot.c)\n* [dmesg_backtrace.c](src/dmesg_backtrace.c)\n* [dmesg_check_for_initrd.c](src/dmesg_check_for_initrd.c)\n* [dmesg_driver_component_ops.c](src/dmesg_driver_component_ops.c)\n* [dmesg_early_init_dt_add_memory_arch.c](src/dmesg_early_init_dt_add_memory_arch.c)\n* [dmesg_ex_handler_msr.c](src/dmesg_ex_handler_msr.c)\n* [dmesg_fake_numa_init.c](src/dmesg_fake_numa_init.c)\n* [dmesg_free_area_init_node.c](src/dmesg_free_area_init_node.c)\n* [dmesg_free_reserved_area.c](src/dmesg_free_reserved_area.c)\n* [dmesg_kaslr-disabled.c](src/dmesg_kaslr-disabled.c)\n* [dmesg_mem_init_kernel_layout.c](src/dmesg_mem_init_kernel_layout.c)\n* [dmesg_mmu_idmap.c](src/dmesg_mmu_idmap.c)\n* [dmesg_riscv_relocation.c](src/dmesg_riscv_relocation.c)\n\nHistorically, raw kernel pointers were frequently printed to the system log\nwithout using the [`%pK` printk format](https://www.kernel.org/doc/html/latest/core-api/printk-formats.html).\n\n* https://github.com/torvalds/linux/search?p=1\u0026q=%25pK\u0026type=Commits\n\nBugs which trigger a kernel oops can be used to leak kernel pointers by reading\nthe associated backtrace from system logs (on systems with `kernel.panic_on_oops = 0`).\n\nThere are countless examples. A few simple examples are available in the [extra](extra/) directory:\n\n* [extra/oops_inet_csk_listen_stop.c](extra/oops_inet_csk_listen_stop.c)\n* [extra/oops_netlink_getsockbyportid_null_ptr.c](extra/oops_netlink_getsockbyportid_null_ptr.c)\n\nMost modern distros ship with `kernel.dmesg_restrict` enabled by default to\nprevent unprivileged users from accessing the kernel debug log. Similarly,\ngrsecurity hardened kernels support `kernel.grsecurity.dmesg` to prevent\nunprivileged access.\n\nSystem log files (ie, `/var/log/syslog`) are readable only by privileged users\non modern distros. On Debian/Ubuntu systems, users in the `adm` group also have\nread permissions on various system log files in `/var/log/`:\n\n```\n$ ls -la /var/log/syslog /var/log/kern.log /var/log/dmesg\n-rw-r----- 1 root   adm 147726 Jan  8 01:43 /var/log/dmesg\n-rw-r----- 1 syslog adm    230 Jan 15 00:00 /var/log/kern.log\n-rw-r----- 1 syslog adm   8322 Jan 15 04:26 /var/log/syslog\n```\n\nTypically the first user created during installation of an Ubuntu system\nis a member of the `adm` group and will have read access to these files.\n\nAdditionally, [an initscript bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867747)\npresent from 2017-2019 caused the `/var/log/dmesg` log file to be generated\nwith world-readable permissions (`644`) and may still be world-readable on\nsome systems.\n\n\n### DebugFS\n\nVarious areas of [DebugFS](https://en.wikipedia.org/wiki/Debugfs)\n(`/sys/kernel/debug/*`) may disclose kernel pointers.\n\nDebugFS is [no longer readable by unprivileged users by default](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82aceae4f0d42f03d9ad7d1e90389e731153898f)\nsince kernel version `v3.7-rc1~174^2~57` on 2012-08-27.\n\nThis change pre-dates Linux KASLR by 2 years. However, DebugFS may still be\nreadable in some non-default configurations.\n\n\n### Hardware Bugs\n\nThere are a plethora of viable hardware-related attacks which can be used to break\nKASLR, in particular timing side-channels and transient execution attacks.\n\nKASLD includes the following hardware-related KASLR breaks:\n\n* [EntryBleed (CVE-2022-4543)](src/entrybleed.c)\n\nThe [extra/check-hardware-vulnerabilities](extra/check-hardware-vulnerabilities)\nscript performs rudimentary checks for several known hardware vulnerabilities,\nbut does not implement these techniques.\n\nRefer to the [Hardware Side-Channels](#hardware-side-channels) section for more information.\n\n\n### Weak Entropy\n\nThe kernel is loaded at an aligned memory address, usually between `PAGE_SIZE` (4096 KiB)\nand 2MiB on modern systems (see `KERNEL_ALIGN` definitions in [kasld.h](src/include/kasld.h).\nThis limits the number of possible kernel locations. For example, on x86_64 with\n`RANDOMIZE_BASE_MAX_OFFSET` of 1GiB and 2MiB alignment, this limited the kernel load\naddress to `0x4000_0000 / 0x20_0000 = 512` possible locations.\n \nWeaknesses in randomisation can decrease entropy, further limiting the possible kernel\nlocations in memory and making the kernel easier to locate.\n\nKASLR may be disabled if insufficient randomness is generated during boot\n(for example, if `get_kaslr_seed()` fails on ARM64).\n\nRefer to the [Weak Entropy](#weak-entropy) section for more information.\n\n\n## Additional References\n\n### Linux KASLR History and Implementation\n\n* [grsecurity - KASLR: An Exercise in Cargo Cult Security](https://grsecurity.net/kaslr_an_exercise_in_cargo_cult_security) (grsecurity, 2013)\n* [An Info-Leak Resistant Kernel Randomization for Virtualized Systems | IEEE Journals \u0026 Magazine | IEEE Xplore](https://ieeexplore.ieee.org/document/9178757) (Fernando Vano-Garcia, Hector Marco-Gisbert, 2020)\n* Kernel Address Space Layout Randomization (LWN.net)\n  * [Kernel address space layout randomization [LWN.net]](https://lwn.net/Articles/569635/)\n  * [Randomize kernel base address on boot [LWN.net]](https://lwn.net/Articles/444556/)\n  * [arm64: implement support for KASLR [LWN.net]](https://lwn.net/Articles/673598/)\n* [Kernel load address randomization · Linux Inside](https://0xax.gitbooks.io/linux-insides/content/Booting/linux-bootstrap-6.html)\n* Function Granular KASLR (FG-KASLR)\n  * [[PATCH v10 00/15] Function Granular KASLR](https://lore.kernel.org/lkml/20220209185752.1226407-1-alexandr.lobakin@intel.com/)\n  * [FGKASLR - CTF Wiki](https://ctf-wiki.org/pwn/linux/kernel-mode/defense/randomization/fgkaslr/)\n\n\n### Linux KASLR Configuration\n\n* Linux Kernel Driver DataBase\n  * [CONFIG_RANDOMIZE_BASE: Randomize the address of the kernel image (KASLR)](https://cateee.net/lkddb/web-lkddb/RANDOMIZE_BASE.html)\n  * [CONFIG_RANDOMIZE_BASE_MAX_OFFSET: Maximum kASLR offset](https://cateee.net/lkddb/web-lkddb/RANDOMIZE_BASE_MAX_OFFSET.html)\n  * [CONFIG_RANDOMIZE_MEMORY: Randomize the kernel memory sections](https://cateee.net/lkddb/web-lkddb/RANDOMIZE_MEMORY.html)\n  * [CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING: Physical memory mapping padding](https://cateee.net/lkddb/web-lkddb/RANDOMIZE_MEMORY_PHYSICAL_PADDING.html)\n  * [CONFIG_RELOCATABLE: Build a relocatable kernel](https://cateee.net/lkddb/web-lkddb/RELOCATABLE.html)\n\n\n### Linux Memory Management\n\n* [0xAX/linux-insides](https://github.com/0xAX/linux-insides)\n  * https://github.com/0xAX/linux-insides/tree/master/Initialization\n  * https://github.com/0xAX/linux-insides/blob/master/Theory/linux-theory-1.md\n  * https://github.com/0xAX/linux-insides/tree/master/MM\n* [Virtual Memory and Linux](https://elinux.org/images/b/b0/Introduction_to_Memory_Management_in_Linux.pdf) (Matt Porter, 2016)\n* [Understanding the Linux Virtual Memory Manager](https://www.kernel.org/doc/gorman/html/understand/index.html) (Mel Gorman, 2004)\n* Linux Kernel Programming (Kaiwan N Billimoria, 2021)\n\n\n### Hardware Side-Channels\n\n[Practical Timing Side Channel Attacks Against Kernel Space ASLR](https://openwall.info/wiki/_media/archive/TR-HGI-2013-001.pdf) (Ralf Hund, Carsten Willems, Thorsten Holz, 2013)\n\n[google/safeside](https://github.com/google/safeside)\n\n[Micro architecture attacks on KASLR](https://cyber.wtf/2016/10/25/micro-architecture-attacks-on-kasrl/) (Anders Fogh, 2016)\n\n[PLATYPUS: Software-based Power Side-Channel Attacks on x86](https://platypusattack.com/platypus.pdf) (Moritz Lipp, Andreas Kogler, David Oswald†, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss, 2020)\n\n[LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection](https://www.semanticscholar.org/paper/LVI:-Hijacking-Transient-Execution-through-Load-Bulck-Moghimi/5cbf634d4308a30b2cddb4c769056750233ddaf6) (Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens, 2020)\n\n[Exploiting Microarchitectural Optimizations from Software](https://diglib.tugraz.at/download.php?id=61adc85670183\u0026location=browse) (Moritz Lipp. 2021)\n\n[Hardening the Kernel Against Unprivileged Attacks](https://www.cc0x1f.net/publications/thesis.pdf) (Claudio Canella, 2022)\n\n[ThermalBleed: A Practical Thermal Side-Channel Attack](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9727162) (Taehun Kim, Youngjoo Shin. 2022)\n\nAMD prefetch and power-based side channel attacks (CVE-2021-26318):\n\n  * https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1017\n  * [AMD Prefetch Attacks through Power and Time](https://www.usenix.org/conference/usenixsecurity22/presentation/lipp) (Moritz Lipp, Daniel Gruss, Michael Schwarz. 2022)\n    * https://www.usenix.org/system/files/sec22-lipp.pdf\n    * USENIX Security 2022 Presentation: https://www.youtube.com/watch?v=bTV-9-B26_w\n    * https://github.com/amdprefetch/amd-prefetch-attacks/tree/master/case-studies/kaslr-break\n\nMicroarchitectural Data Sampling (MDS) side-channel attacks:\n\n  * [Fallout: Leaking Data on Meltdown-resistant CPUs](https://mdsattacks.com/files/fallout.pdf) (Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck, Yuval Yarom, 2019)\n    * https://github.com/wbowling/cpu.fail/blob/master/zombieload_kaslr.c (wbowling, 2019)\n  * [RIDL: Rogue In-Flight Data Load](https://mdsattacks.com/files/ridl.pdf) (Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida, 2019)\n    * [vusec/ridl](https://github.com/vusec/ridl) - Intel CPUs (VUSec, 2019)\n  * [ZombieLoad](https://zombieloadattack.com/):\n    * [IAIK/ZombieLoad](https://github.com/IAIK/ZombieLoad)\n    * https://github.com/wbowling/cpu.fail/blob/master/fallout_kaslr.c (wbowling, 2019)\n\nEchoLoad:\n\n  * [KASLR: Break It, Fix It, Repeat](https://gruss.cc/files/kaslrbfr.pdf) (Claudio Canella, Michael Schwarz, Martin Haubenwallner, 2020)\n  * [Store-to-Leak Forwarding: There and Back Again](https://i.blackhat.com/asia-20/Friday/asia-20-Canella-Store-To-Leak-Forwarding-There-And-Back-Again-wp.pdf) (Claudio Canella, Lukas Giner, Michael Schwarz, 2020)\n    * Slides: https://misc0110.net/files/store2leak_blackhat_slides.pdf\n    * Blackhat Asia 2020 Presentation: https://www.youtube.com/watch?v=Yc1AXkCu2AA\n    * https://github.com/cc0x1f/store-to-leak-forwarding-there-and-back-again/tree/master/echoload\n\nData Bounce:\n\n  * [Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs](https://cpu.fail/store_to_leak_forwarding.pdf) (Michael Schwarz, Claudio Canella, Lukas Giner, Daniel Gruss, 2019)\n    * https://github.com/cc0x1f/store-to-leak-forwarding-there-and-back-again/tree/master/data_bounce\n\nPrefetch side-channel attacks:\n\n  * [Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR](https://gruss.cc/files/prefetch.pdf) (Daniel Gruss, Clémentine Maurice, Anders Fogh, 2016)\n    * [xairy/kernel-exploits/prefetch-side-channel](https://github.com/xairy/kernel-exploits/tree/master/prefetch-side-channel) (xairy, 2020)\n  * [Using Undocumented CPU Behaviour to See into Kernel Mode and Break KASLR in the Process](https://www.blackhat.com/docs/us-16/materials/us-16-Fogh-Using-Undocumented-CPU-Behaviour-To-See-Into-Kernel-Mode-And-Break-KASLR-In-The-Process.pdf) (Anders Fogh, Daniel Gruss, 2016)\n    * Blackhat USA 2015 Presentation: https://www.youtube.com/watch?v=Pwq0vv4X7m4\n  * [Fetching the KASLR slide with prefetch](https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html) (Seth Jenkins, 2022)\n    * [prefetch_poc.zip](https://bugs.chromium.org/p/project-zero/issues/detail?id=2351) - Intel x86_64 CPUs with kPTI disabled (`pti=off`)\n  * EntryBleed\n    * Intel x86_64 CPUs; AMD x86_64 CPUs with kPTI disabled (`pti=off`)\n    * [EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)](https://www.willsroot.io/2022/12/entrybleed.html) (willsroot, 2022)\n    * [EntryBleed: A Universal KASLR Bypass against KPTI on Linux](https://dl.acm.org/doi/pdf/10.1145/3623652.3623669) (William Liu, Joseph Ravichandran, Mengjia Yan, 2023)\n  * SLAM: Spectre based on Linear Address Masking\n    * [Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation](https://download.vusec.net/papers/slam_sp24.pdf) (Mathé Hertogh, Sander Wiebing, Cristiano Giuffrida, 2024)\n    * [https://www.vusec.net/projects/slam/](https://www.vusec.net/projects/slam/)\n    * [vusec/slam](https://github.com/vusec/slam)\n\nStraight-line Speculation (SLS):\n\n  * [The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)](https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before) (Pawel Wieczorkiewicz, 2022)\n  * [Straight-line Speculation Whitepaper](https://developer.arm.com/documentation/102825/0100/?lang=en) (ARM, 2020)\n\nTransactional Synchronization eXtensions (TSX) side-channel timing attacks:\n\n  * [TSX improves timing attacks against KASLR](http://web.archive.org/web/20141107045306/http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/) (Rafal Wojtczuk, 2014)\n  * [DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX](https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf) (Yeongjin Jang, Sangho Lee, Taesoo Kim, 2016)\n    * Slides: https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf\n    * Blackhat USA 2015 Presentation: https://www.youtube.com/watch?v=rtuXG28g0CU\n  * [vnik5287/kaslr_tsx_bypass](https://github.com/vnik5287/kaslr_tsx_bypass) (Vitaly Nikolenko, 2017)\n\nBranch Target Buffer (BTB) based side-channel attacks:\n\n  * [Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR](https://www.cs.ucr.edu/~nael/pubs/micro16.pdf) (Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh, 2016)\n    * [felixwilhelm/mario_baslr](https://github.com/felixwilhelm/mario_baslr) - Intel CPUs (Felix Wilhelm, 2016)\n\nTransient Execution / Speculative Execution:\n\n  * The [transient.fail](https://transient.fail/) website offers a good overview of speculative execution / transient execution attacks.\n  * [SPECULOSE: Analyzing the Security Implications of Speculative Execution in CPUs](https://arxiv.org/pdf/1801.04084v1.pdf) (Giorgi Maisuradze, Christian Rossow, 2018)\n  * [A Systematic Evaluation of Transient Execution Attacks and Defenses](https://www.cc0x1f.net/publications/transient_sytematization.pdf) (Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin3, Daniel Gruss, 2019)\n  * [Meltdown](https://meltdownattack.com)\n    * [Meltdown: Reading Kernel Memory from User Space](https://meltdownattack.com/meltdown.pdf) (Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, 2018)\n    * USENIX Security 2018 Video: https://www.usenix.org/conference/usenixsecurity18/presentation/lipp\n    * [paboldin/meltdown-exploit](https://github.com/paboldin/meltdown-exploit)\n    * [IAIK/meltdown](https://github.com/IAIK/meltdown)\n    * https://github.com/IAIK/transientfail/tree/master/pocs/meltdown\n  * [Spectre Attacks: Exploiting Speculative Execution](https://spectreattack.com/spectre.pdf) (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, 2018)\n    * https://github.com/IAIK/transientfail/tree/master/pocs/spectre\n  * [Reading privileged memory with a side-channel](https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html) (Jann Horn, 2018)\n  * [speed47/spectre-meltdown-checker](https://github.com/speed47/spectre-meltdown-checker)\n  * [VDSO As A Potential KASLR Oracle](https://www.longterm.io/vdso_sidechannel.html) (Philip Pettersson, Alex Radocea, 2021)\n  * [RETBLEED: Arbitrary Speculative Code Execution with Return Instructions](https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf) (Johannes Wikner, Kaveh Razavi, 2022)\n    * [comsec-group/retbleed](https://github.com/comsec-group/retbleed) - Intel/AMD x86_64 CPUs\n  * [Timing the Transient Execution: A New Side-Channel Attack on Intel CPUs](https://arxiv.org/pdf/2304.10877.pdf) (Yu Jin, Pengfei Qiu, Chunlu Wang, Yihao Yang, Dongsheng Wang, Gang Qu, 2023)\n\nSpeculative Data Gathering / Gather Data Sampling:\n\n  * [Downfall](https://downfall.page/) (CVE-2022-40982)\n    * [Downfall: Exploiting Speculative Data Gathering](https://downfall.page/media/downfall.pdf) (Daniel Moghimi), 2023)\n\nTagBleed: Tagged Translation Lookaside Buffer (TLB) side-channel attacks:\n\n  * [TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) (Jakob Koschel, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi, 2020)\n    * [renorobert/tagbleedvmm](https://github.com/renorobert/tagbleedvmm) (Reno Robert, 2020)\n\n[RAMBleed](https://rambleed.com/) side-channel attack (CVE-2019-0174):\n\n  * [RAMBleed: Reading Bits in Memory Without Accessing Them](https://rambleed.com/docs/20190603-rambleed-web.pdf) (Andrew Kwong, Daniel Genkin, Daniel Gruss, Yuval Yarom, 2019)\n  * [google/rowhammer-test](https://github.com/google/rowhammer-test) (Google, 2015)\n\nMemory deduplication timing side-channel attacks:\n\n  * [Memory deduplication as a threat to the guest OS](https://kth.diva-portal.org/smash/get/diva2:1060434/FULLTEXT01) (Kuniyasu Suzaki, Kengo Iijima, Toshiki Yagi, Cyrille Artho. 2011)\n  * [Breaking KASLR Using Memory Deduplication in Virtualized Environments](https://www.mdpi.com/2079-9292/10/17/2174) (Taehun Kim, Taehyun Kim, Youngjoo Shin. 2021)\n  * [Remote Memory-Deduplication Attacks](https://pure.tugraz.at/ws/portalfiles/portal/38441480/main.pdf) (Martin Schwarzl, Erik Kraft, Moritz Lipp, Daniel Gruss. 2022)\n\n\n### Kernel Info Leaks\n\nPatched kernel info leak bugs:\n\n  * [https://github.com/torvalds/linux/search?p=1\u0026type=Commits\u0026q=kernel-infoleak](https://github.com/torvalds/linux/search?p=1\u0026type=Commits\u0026q=kernel-infoleak)\n  * `git clone https://github.com/torvalds/linux \u0026\u0026 cd linux \u0026\u0026 git log | grep 'kernel-infoleak'`\n\nPatched kernel info leak bugs caught by KernelMemorySanitizer (KMSAN):\n\n  * [https://github.com/torvalds/linux/search?p=1\u0026type=Commits\u0026q=BUG: KMSAN: kernel-infoleak](https://github.com/torvalds/linux/search?p=1\u0026type=Commits\u0026q=BUG:%20KMSAN:%20kernel-infoleak)\n  * `git clone https://github.com/torvalds/linux \u0026\u0026 cd linux \u0026\u0026 git log | grep \"BUG: KMSAN: kernel-infoleak\"`\n\nNetfilter info leak (CVE-2022-1972):\n\n  * [Yet another bug into Netfilter](https://www.randorisec.fr/yet-another-bug-netfilter/)\n    * https://github.com/randorisec/CVE-2022-1972-infoleak-PoC\n\nRemote uninitialized stack variables leaked via Bluetooth:\n\n  * [BadChoice: Stack-Based Information Leak (BleedingTooth)](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) (CVE-2020-12352)\n  * [Linux Kernel: Infoleak in Bluetooth L2CAP Handling](https://seclists.org/oss-sec/2022/q4/188) (CVE-2022-42895)\n  * [Info Leak in the Linux Kernel via Bluetooth](https://seclists.org/oss-sec/2017/q4/357) (CVE-2017-1000410)\n\nRemote kernel pointer leak via IP packet headers (CVE-2019-10639):\n\n  * [From IP ID to Device ID and KASLR Bypass](https://arxiv.org/pdf/1906.10478.pdf)\n\nfloppy block driver `show_floppy` kernel function pointer leak (CVE-2018-7273) (requires `floppy` driver and access to `dmesg`).\n\n  * [Linux Kernel \u003c 4.15.4 - 'show_floppy' KASLR Address Leak](https://www.exploit-db.com/exploits/44325) (Gregory Draperi. 2018)\n  * https://xorl.wordpress.com/2018/03/18/cve-2018-7273-linux-kernel-floppy-information-leak/\n\n`kernel_waitid` leak (CVE-2017-14954) (affects kernels 4.13-rc1 to 4.13.4):\n\n  * [wait_for_kaslr_to_be_effective.c](https://grsecurity.net/~spender/exploits/wait_for_kaslr_to_be_effective.c) (spender, 2017)\n  * https://github.com/salls/kernel-exploits/blob/master/CVE-2017-5123/exploit_no_smap.c (salls, 2017)\n\n`snd_timer_user_read` uninitialized kernel heap memory disclosure (CVE-2017-1000380):\n\n  * [Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer](https://seclists.org/oss-sec/2017/q2/455) (Alexander Potapenko, 2017)\n    * [snd_timer_c.bin](https://seclists.org/oss-sec/2017/q2/att-529/snd_timer_c.bin) (Alexander Potapenko, 2017)\n\nPPTP sockets `pptp_bind()` / `pptp_connect()` kernel stack leak (CVE-2015-8569):\n  * https://lkml.org/lkml/2015/12/14/252\n\nExploiting uninitialized stack variables:\n\n  * [Structure holes and information leaks](https://lwn.net/Articles/417989/) (Jonathan Corbet. 2010)\n  * [C Structure Padding Initialization](https://interrupt.memfault.com/blog/c-struct-padding-initialization) (Noah Pendleton. 2022)\n  * [DCL39-C. Avoid information leakage when passing a structure across a trust boundary - SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/DCL39-C.+Avoid+information+leakage+when+passing+a+structure+across+a+trust+boundary)\n  * [Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers](https://sefcom.asu.edu/publications/leak-kptr-woot20.pdf) (Haehyun Cho, Jinbum Park, Joonwon Kang, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, Gail-Joon Ahn. 2020)\n    * [Leak kernel pointer by exploiting uninitialized uses in Linux kernel](https://jinb-park.github.io/leak-kptr.html)\n    * [jinb-park/leak-kptr](https://github.com/jinb-park/leak-kptr)\n    * [compat_get_timex kernel stack pointer leak](https://github.com/jinb-park/leak-kptr/blob/master/exploit/CVE-2018-11508/poc.c) (CVE-2018-11508).\n    * [sctp_af_inet kernel pointer leak](https://github.com/jinb-park/leak-kptr/tree/master/exploit/sctp-leak) (CVE-2017-7558) (requires `libsctp-dev`).\n    * [rtnl_fill_link_ifmap kernel stack pointer leak](https://github.com/jinb-park/leak-kptr/tree/master/exploit/CVE-2016-4486) (CVE-2016-4486).\n    * [snd_timer_user_params kernel stack pointer leak](https://github.com/jinb-park/leak-kptr/tree/master/exploit/CVE-2016-4569) (CVE-2016-4569).\n\n\n### Kernel Bugs\n\nLeaking kernel addresses using `msg_msg` struct for arbitrary read (for `KMALLOC_CGROUP` objects):\n\n  * [Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel | Alexander Popov](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html)\n  * [CVE-2021-22555: Turning \\x00\\x00 into 10000$ | security-research](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html)\n  * [Exploiting CVE-2021-43267 - Haxxin](https://haxx.in/posts/pwning-tipc/)\n  * [Will's Root: pbctf 2021 Nightclub Writeup: More Fun with Linux Kernel Heap Notes!](https://www.willsroot.io/2021/10/pbctf-2021-nightclub-writeup-more-fun.html)\n  * [Will's Root: corCTF 2021 Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel](https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html)\n  * [[corCTF 2021] Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel](https://syst3mfailure.io/wall-of-perdition)\n  * [[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver](https://syst3mfailure.io/sixpack-slab-out-of-bounds)\n\nLeaking kernel addresses using privileged arbitrary read (or write) in kernel space:\n\n  * [kptr_restrict – Finding kernel symbols for shell code](https://ryiron.wordpress.com/2013/09/05/kptr_restrict-finding-kernel-symbols-for-shell-code/) (ryiron, 2013)\n  * CVE-2017-18344: Exploiting an arbitrary-read vulnerability in the Linux kernel timer subsystem (xairy, 2017):\n    * https://www.openwall.com/lists/oss-security/2018/08/09/6\n    * https://xairy.io/articles/cve-2017-18344\n    * [xairy/kernel-exploits/CVE-2017-18344](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-18344)\n\n\n### Weak Entropy\n\n[Another look at two Linux KASLR patches](https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/index.html) (Kryptos Logic, 2020)\n\n[arm64: efi: kaslr: Fix occasional random alloc (and boot) failure](https://github.com/torvalds/linux/commit/4152433c397697acc4b02c4a10d17d5859c2730d)\n\n\n## License\n\nKASLD is MIT licensed but borrows heavily from modified\nthird-party code snippets and proof of concept code.\n\nVarious code snippets were taken from third-parties and may\nhave different license restrictions. Refer to the reference\nURLs in the comment headers available in each file for credits\nand more information.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Fkasld","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbcoles%2Fkasld","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Fkasld/lists"}