Home

Awesome

mario_baslr

alt text

This repository contains a small Proof-of-Concept tool for leaking the base address of the KVM hypervisor kernel module (kvm.ko) from a guest VM. It does this by using a timing side-channel created by collisions in the branch target buffer (BTB) of modern Intel CPUs. This approach is based on the great research paper ["Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR"] (http://www.cs.binghamton.edu/~dima/micro16.pdf) by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh.

Interestingly, the authors of the original paper don't seem to have realised that their technique is not only usable for attacks against KASLR or other user-space tools but also works regardless of virtualization boundaries. This is an important difference to other hardware based timing attacks such as prefetch, which can only be used for addresses that are mapped in the execution context of the attacker.

In theory the BTB side-channel offers a generic way to bypass hypervisor/host ASLR in virtualized environments. However, there are a number of important restrictions:

Only the second issue has an impact when targeting the KVM kernel module, making KVM the easiest target for this attack.

The offsets used in the PoC are targeting kvm.ko compiled for Ubuntu 16.04 with a 4.4.0-38-generic kernel. Future versions might include a fingerprinting mechanism to make this usable in the real world.