{"id":13936719,"url":"https://github.com/sslab-gatech/DrK","last_synced_at":"2025-07-19T22:31:45.315Z","repository":{"id":41337462,"uuid":"71486135","full_name":"sslab-gatech/DrK","owner":"sslab-gatech","description":"The DrK Attack - Proof of concept","archived":false,"fork":false,"pushed_at":"2022-03-13T06:40:06.000Z","size":923,"stargazers_count":341,"open_issues_count":0,"forks_count":67,"subscribers_count":33,"default_branch":"master","last_synced_at":"2024-11-19T20:46:55.208Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sslab-gatech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-10-20T17:14:17.000Z","updated_at":"2024-11-11T21:14:34.000Z","dependencies_parsed_at":"2022-08-31T06:11:12.998Z","dependency_job_id":null,"html_url":"https://github.com/sslab-gatech/DrK","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sslab-gatech%2FDrK","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sslab-gatech%2FDrK/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sslab-gatech%2FDrK/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sslab-gatech%2FDrK/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sslab-gatech","download_url":"https://codeload.github.com/sslab-gatech/DrK/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226686730,"owners_count":17666928,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-07T23:02:56.344Z","updated_at":"2024-11-27T04:31:24.483Z","avatar_url":"https://github.com/sslab-gatech.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# The DrK (De-randomizing Kernel ASLR) attack\nDrK is an attack that breaks kernel address space layout randomization (KASLR)\nby exploiting TLB and decoded i-cache side channel. To reliably exploit the\nside channels, the DrK attack took advantage of\nIntel TSX (Transactional Synchronization eXtension).\nOne surprising behavior of TSX, which is essentially\nthe root cause of this security loophole, is that it aborts a\ntransaction without notifying the underlying kernel even when the\ntransaction fails due to a critical error, such as a page fault or an\naccess violation, which traditionally requires kernel intervention.\nDrK turns this property into a precise timing channel that can\ndetermine the mapping status (i.e., mapped versus unmapped) and\nexecution status (i.e., executable versus non-executable) of the privileged\nkernel address space. Since such behavior is on the hardware level,\nDrK is universally applicable to all OSes, even in\nvirtualized environments, and generates no visible footprint, making\nit difficult to detect in practice.\nTherefore, DrK can break\nthe KASLR of all major OSes (i.e., Windows, Linux, and OS X)\nwith near-perfect accuracy in under a second.\n\n\n## More details\n* DrK paper (ACM CCS'16): http://people.oregonstate.edu/~jangye/assets/papers/2016/jang:drk-ccs.pdf\n* Talk at Black Hat USA: https://www.youtube.com/watch?v=rtuXG28g0CU\n\n## Demo\n\n### Timing (click the image to watch the video)\n[![Timing Demo](https://img.youtube.com/vi/NdndV_cMJ8k/0.jpg)]\n(https://www.youtube.com/watch?v=NdndV_cMJ8k)\n\n### Full attack on Linux (click the image to watch the video)\n[![Full attack on Linux](https://img.youtube.com/vi/WXGCylmAZkA/0.jpg)]\n(https://www.youtube.com/watch?v=WXGCylmAZkA)\n\n## Build\nRun ```make``` on the directory of this repository.\n\n### Example: Timing demo\nRun ```cd timing; ./timing_demo.py```\n\u003cp align='left'\u003e\n\u003cimg width=\"60%\" src=\"https://github.com/sslab-gatech/DrK/blob/master/timing-mu.png\" /\u003e\u003cbr /\u003e\n\u003cimg width=\"60%\"  src=\"https://github.com/sslab-gatech/DrK/blob/master/timing-x-nx.png\" /\u003e\u003cbr /\u003e\n\u003c/p\u003e\n\n### Example: Breaking KASLR in Linux\nRun ```cd linux; ./run-drk-attack.py```\n\u003cp align='left'\u003e\n\u003cimg width=\"60%\" src=\"https://github.com/sslab-gatech/DrK/blob/master/linux-attack.png\" /\u003e\u003cbr /\u003e\n\u003c/p\u003e\n\n## Contributors\n* [Yeongjin Jang]\n* [Sangho Lee]\n* [Taesoo Kim]\n\n[Yeongjin Jang]: \u003chttp://people.oregonstate.edu/~jangye\u003e\n[Sangho Lee]: \u003chttp://www.cc.gatech.edu/~slee3036\u003e\n[Taesoo Kim]: \u003chttps://taesoo.gtisc.gatech.edu\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsslab-gatech%2FDrK","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsslab-gatech%2FDrK","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsslab-gatech%2FDrK/lists"}