Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sslab-gatech/DrK

The DrK Attack - Proof of concept
https://github.com/sslab-gatech/DrK

Last synced: about 2 months ago
JSON representation

The DrK Attack - Proof of concept

Host: GitHub
URL: https://github.com/sslab-gatech/DrK
Owner: sslab-gatech
License: mit
Created: 2016-10-20T17:14:17.000Z (almost 8 years ago)
Default Branch: master
Last Pushed: 2022-03-13T06:40:06.000Z (over 2 years ago)
Last Synced: 2024-05-03T06:21:18.783Z (5 months ago)
Language: Python
Size: 901 KB
Stars: 345
Watchers: 33
Forks: 67
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# The DrK (De-randomizing Kernel ASLR) attack
DrK is an attack that breaks kernel address space layout randomization (KASLR)
by exploiting TLB and decoded i-cache side channel. To reliably exploit the
side channels, the DrK attack took advantage of
Intel TSX (Transactional Synchronization eXtension).
One surprising behavior of TSX, which is essentially
the root cause of this security loophole, is that it aborts a
transaction without notifying the underlying kernel even when the
transaction fails due to a critical error, such as a page fault or an
access violation, which traditionally requires kernel intervention.
DrK turns this property into a precise timing channel that can
determine the mapping status (i.e., mapped versus unmapped) and
execution status (i.e., executable versus non-executable) of the privileged
kernel address space. Since such behavior is on the hardware level,
DrK is universally applicable to all OSes, even in
virtualized environments, and generates no visible footprint, making
it difficult to detect in practice.
Therefore, DrK can break
the KASLR of all major OSes (i.e., Windows, Linux, and OS X)
with near-perfect accuracy in under a second.

## More details
* DrK paper (ACM CCS'16): http://people.oregonstate.edu/~jangye/assets/papers/2016/jang:drk-ccs.pdf
* Talk at Black Hat USA: https://www.youtube.com/watch?v=rtuXG28g0CU

## Demo

### Timing (click the image to watch the video)
[![Timing Demo](https://img.youtube.com/vi/NdndV_cMJ8k/0.jpg)]
(https://www.youtube.com/watch?v=NdndV_cMJ8k)

### Full attack on Linux (click the image to watch the video)
[![Full attack on Linux](https://img.youtube.com/vi/WXGCylmAZkA/0.jpg)]
(https://www.youtube.com/watch?v=WXGCylmAZkA)

## Build
Run ```make``` on the directory of this repository.

### Example: Timing demo
Run ```cd timing; ./timing_demo.py```

### Example: Breaking KASLR in Linux
Run ```cd linux; ./run-drk-attack.py```

## Contributors
* [Yeongjin Jang]
* [Sangho Lee]
* [Taesoo Kim]

[Yeongjin Jang]:
[Sangho Lee]:
[Taesoo Kim]: