home > publications > DAR:CCS:24

On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)

On Kernel’s Safety in the Spectre Era (And KASLR is Formally Dead)
Davide Davoli, Martin Avanzini and Tamara Rezk
31st ACM Conference on Computer and Communications Security (CCS), pages 1–15, (2024).

Abstract

The efficacy of Address Space Layout Randomization (ASLR) has been formally demonstrated in a shared-memory model by Abadi et al., contingent on specific assumptions about victim programs. However, modern operating systems, implementing ASLR in the kernel, diverge from these assumptions and operate on a separate memory model with communication through system calls. In this work, we relax Abadi et al.’s language assumptions while demonstrating that ASLR offers a comparable safety guarantee in a system with memory separation. However, in practice, speculative execution and side-channels are recognized threats to ASLR. We show that kernel safety cannot be restored for attackers capable of using side-channels and speculative execution and introduce a new condition, that allows us to formally prove kernel safety in the Spectre era. Our research demonstrates that under this condition, the system remains safe without relying on ASLR. We also demonstrate that our condition can be sensibly weakened, leading to enforcement mechanisms that can guarantee kernel safety for safe system calls in the Spectre era.

Categories

, ,