KernelSnitch: Leaking Kernel Heap Pointers by Exploiting Software-Induced Side-Channel Leakage

KernelSnitch: Leaking Kernel Heap Pointers by Exploiting Software-Induced Side-Channel Leakage of Kernel Hash Tables

In this talk, we present a generic software-induced side-channel attack, KernelSnitch, on the operating system. With this new side-channel attack we opened up a novel attack surface in operating systems that are both, potent and difficult to patch. It allows a kernel heap pointer leak without exploiting any memory safety vulnerabilities and is hardware agnostic, as it does not use any hardware-induced side channels.

In contrast to previous side-channel attacks on the Linux kernel, our side channel advances significantly in two ways: First, it is hardware agnostic and exploits only the timing differences of access operations (within syscalls) to hash tables in the Linux kernel. Second, it is the first side-channel attack on the Linux kernel that enables a byte-accurate pointer leak on the kernel heap.

We conduct an in-depth root cause analysis of this side channel by analyzing one hash table instance, i.e., the futex hash table. In particular, we show that the design of hash tables in the Linux kernel inherently enables this side-channel attack.

Finally, we present a live demo where we perform an end-to-end attack that leaks a kernel heap pointer as an unprivileged user. This attack works in sandboxed environments, such as Docker, and across multiple architectures, including x86_64, AArch64, and RISC-V.

Lukas Maar | PhD Student, Graz University of Technology
Jonas Juffinger | InfoSec Researcher, Graz University of Technology

Full Abstract and Presentation Slides:
https://www.blackhat.com/asia-25/briefings/schedule/#kernelsnitch-leaking-kernel-heap-pointers-by-exploiting-software-induced-side-channel-leakage-of-kernel-hash-tables-43247Black HatRead More