Nytro Posted February 23, 2020 Report Posted February 23, 2020 ABSTRACTIn this paper, we analyze the hardware-based Meltdown mitigationsin recent Intel microarchitectures, revealing that illegally accesseddata is only zeroed out. Hence, while non-present loads stall theCPU, illegal loads are still executed. We present EchoLoad, a noveltechnique to distinguish load stalls from transiently executed loads.EchoLoad allows detecting physically-backed addresses from un-privileged applications, breaking KASLR in40μson the newestMeltdown- and MDS-resistant Cascade Lake microarchitecture. AsEchoLoad only relies on memory loads, it runs in highly-restrictedenvironments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the firstproof-of-concept Meltdown attack from JavaScript on systems thatare still broadly not patched against Meltdown,i.e., 32-bit x86 OSs.We propose FLARE, a generic mitigation against known microar-chitectural KASLR breaks with negligible overhead. By mappingunused kernel addresses to a reserved page and mirroring neigh-boring permission bits, we make used and unused kernel memoryindistinguishable,i.e., a uniform behavior across the entire kerneladdress space, mitigating the root cause behind microarchitecturalKASLR breaks. With incomplete hardware mitigations, we proposeto deploy FLARE even on recent CPUs. Sursa: http://cc0x1f.net/publications/kaslr.pdf Quote
