When Good Kernel Defenses Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks

This upload contains artifacts developed during a research project, which got accepted at USENIX Security '25.

Abstract

This paper shows how side-channel leakage in kernel defenses can be exploited to leak the locations of security-critical kernel objects, enabling reliable and stable attacks on the Linux kernel. By systematically analyzing 127 defenses, we show that enabling any of three specific defenses - strict memory permissions, kernel heap virtualization, or stack virtualization - exposes fine-grained TLB contention patterns. These patterns are then combined with kernel allocator massaging to perform location disclosure attacks, revealing the locations of kernel heap objects, page tables, and stacks.

The artifacts demonstrate the timing side channel attack and the exploit techniques. For both, we provide a kernel module and programs to perform the experiments.

1. For the timing side channel, we leak the location of kernel heap objects (i.e. pipe_buffer, msg_msg, cred, file and seq_file), page tables (all levels) and the kernel stack. While our timing side channel should work on all Intel generations between 8th and 14th, we recommend evaluating on Intel 13th generation, as we have mainly evaluated on this one. While our timing side channel should work on Linux kernels between v5.15 and v6.8, we recommend evaluating on the Ubuntu generic kernel v6.8.
2. For the exploit techniques, we perform privilege escalation using the 3 techniques supported by the side channel.

Description

The artifacts contain all distinct experiments and exploits from the paper. Our test environment was mainly the 13th generation Intel i7-1360 running Ubuntu 24.04. The kernel versions were either the generic Ubuntu Linux kernel v6.8 or the kernel v6.6 which was intended to be used for virtualizing the kernel heap defense, i.e. SLAB_VIRTUAL [1].

We structure the key artifacts as following:

Kernel Module

lkm.c
include/lkm.h
include/ulkm.h

These files contain the kernel module including the user-space interface. This module is used for obtaining the ground truth of the object's location for the side channel or granting the initial exploit primitive for the exploit techniques.

Location Disclosure Attacks

heap
page-table
stack

These folders contain the location disclosure attacks for leaking the location of kernel heap objects, page tables, and the kernel stack.

Exploit Techniques

attacks

This folder contains the exploit techniques.

Others

generic
include

These folders contain generic TLB side-channel attacks and headers for the other parts.

[1] https://lore.kernel.org/linux-mm/202309151425.2BE59091@keescook/T/