Automated Discovery of Exploitable Instruction Patterns for KASLR Circumvention

LI Zhouyang; QIU Pengfei; QING Yu; WANG Chunlu; WANG Dongsheng

doi:10.11999/JEIT250366

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2025 >

LI Zhouyang, QIU Pengfei, QING Yu, WANG Chunlu, WANG Dongsheng. Automated Discovery of Exploitable Instruction Patterns for KASLR Circumvention[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250366

Citation:

LI Zhouyang, QIU Pengfei, QING Yu, WANG Chunlu, WANG Dongsheng. Automated Discovery of Exploitable Instruction Patterns for KASLR Circumvention[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250366

Citation:

PDF( 1533 KB)

Automated Discovery of Exploitable Instruction Patterns for KASLR Circumvention

doi: 10.11999/JEIT250366 cstr: 32379.14.JEIT250366

LI Zhouyang^{1, 2, 3},
QIU Pengfei^{1, 2, 3
,
,},
QING Yu³,
WANG Chunlu^{1, 2},
WANG Dongsheng^{3, 4}

1.
School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
2.
Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing 100876, China
3.
Zhongguancun Laboratory, Beijing 100194, China
4.
Tsinghua University, Beijing 100084, China

Funds: The National Key Research and Development Program of China (2023YFB4403000), The National Natural Science Foundation of China (62372258), Beijing Natural Science Foundation (4242026)

Received Date: 2025-05-06
Rev Recd Date: 2025-08-11

Available Online: 2025-08-28

Abstract

Abstract

Objective Kernel Address Space Layout Randomization (KASLR) remains a core defense against kernel-level exploits; however, its robustness is increasingly undermined by microarchitectural side-channel attacks that exploit specific processor instructions. Existing research has largely concentrated on isolated attack vectors, lacking a systematic evaluation of the entire x86 instruction set. This study addresses this limitation by developing an automated framework to identify and characterize KASLR-bypass instructions comprehensively, assess their attack efficacy across multiple Intel processor generations, and derive defensible instruction patterns to inform the reinforcement of current security mechanisms. Methods This study systematically addresses three core challenges in analyzing instruction-level mechanisms for bypassing KASLR. The first challenge is achieving comprehensive coverage of the x86 Instruction Set Architecture (ISA), which includes thousands of historical and modern instructions characterized by variable-length encoding and complex microarchitectural dependencies. To address this, the proposed framework combines static and dynamic analysis. Instruction semantics are extracted statically from Intel Software Developer Manuals and uops.info XML datasets. Dynamic profiling on Intel Core processors is used to verify instruction support across processor generations. Byte-level pattern matching is applied to accurately handle variable-length encodings. The second challenge concerns the generation of attack-compliant machine code that satisfies strict encoding requirements and bypasses compiler-level checks. This is achieved using a template-driven approach, which modifies a CLFLUSH-based attack prototype by replacing inline assembly instructions through pattern substitution. Memory operands are redirected to target addresses preloaded into the EDX register, with boundary values used to ensure operand validity. For nonstandard or undocumented instructions, self-modifying code techniques dynamically inject opcodes at runtime, thereby bypassing compiler restrictions and enabling broader instruction coverage. The third challenge focuses on evaluating attack effectiveness through accurate localization of kernel symbols. To this end, the framework applies a dual-verification strategy. RDTSC instructions are used to timestamp memory probes across 512 predefined address slots. Differential timing analysis identifies latency outliers (i.e., maximum and minimum values), indicating potential KASLR bypasses. Signal handlers suppress exceptions caused by access to privileged or unmapped memory regions, while debug symbol cross-referencing is used to confirm actual kernel address leakage. All generated code undergoes Monte Carlo simulation to reduce false positives and ensure statistical robustness. Results and Discussions Experiments are performed on Intel Core i7-11700K, i7-12700K, and i7-13700 processors (Table 1). In the Assembly-Level Instruction Analysis (Fig. 4), 699 assembly instructions are identified as effective KASLR bypass vectors on the i7-11700K. Variations in support for AVX512 instruction set extensions account for differences in the attack surface, with the number of effective instructions decreasing slightly to 542 on the i7-12700K and 547 on the i7-13700, reflecting minor microarchitectural differences. In the Byte-Level Instruction Analysis (Table 2), 39 one-byte, 121 two-byte, and 24 three-byte opcodes are found to bypass KASLR without relying on predefined assembly semantics. These opcodes demonstrate consistent attack efficacy across all evaluated processors, indicating similar behavioral patterns across Intel architectures. Overall, the results—supported by (Fig. 4, Table 2, Table 3)—demonstrate two principal findings: comprehensive coverage of the x86 ISA and cross-generation consistency of effective KASLR bypass instructions. Although the current study focuses on Intel processors, the findings raise open questions regarding the vulnerability of AMD processors that share the same ISA, as well as ARM-based platforms used in Android devices and Apple M series chips. Future work is intended to extend the framework to analyze KASLR bypass vectors on non-Intel architectures. Furthermore, an automated analysis framework is proposed to assess KASLR attack efficacy through differential analysis. To enhance detection across heterogeneous architectures and instruction sets, future efforts will incorporate data preprocessing techniques to improve the scalability and precision. Conclusions KASLR remains a critical defense against kernel memory exploitation; however, its resilience is increasingly challenged by instruction-dependent microarchitectural side-channel attacks. This study presents an automated framework that systematically identifies potential KASLR-bypass instructions, quantifies their attack effectiveness across multiple Intel processor generations, and derives actionable defense signatures to address emerging threats. The findings reveal a significantly underestimated attack surface: hundreds of x86 instructions, at both the assembly and byte levels, are capable of leaking sensitive address information. The broader implications of this work are threefold: (1) Defensive Improvement: The experimental results may be directly applied to enhance signature-based detection systems. (2) Hardware–Software Co-Design: The consistent vulnerability observed across Intel microarchitectures highlights the need to redesign timing isolation mechanisms at the hardware level. (3) Methodological Contribution: The proposed dual-analysis framework offers a generalizable approach for evaluating instruction-level attack surfaces, with applicability to other contexts such as cache-based side-channel attacks. Future research will extend this methodology to alternative architectures, including ARM and RISC-V, and explore the integration of machine learning techniques.
- Hardware security,
- Microarchitectural side-channel attacks,
- Instructions,
- Kernel address space layout randomization

FullText(HTML)

References(30)

References

[1]	SHACHAM H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, USA, 2007: 552–561. doi: 10.1145/1315245.131531.
[2]	HAN S, KIM S J, SHIN W, et al. Page-oriented programming: Subverting control-flow integrity of commodity operating system kernels with non-writable code pages[C]. Proceedings of the 33rd USENIX Conference on Security Symposium, Philadelphia, USA, 2024: 12.
[3]	GRUSS D, MAURICE C, FOGH A, et al. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR[C]. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 2016: 368–379. doi: 10.1145/2976749.2978356.
[4]	CHOI H, KIM S, and SHIN S. AVX timing side-channel attacks against address space layout randomization[C]. 2023 60th ACM/IEEE Design Automation Conference, San Francisco, USA, 2023: 1–6. doi: 10.1109/DAC56929.2023.10247741.
[5]	RAUSCHER F, FIEDLER C, KOGLER A, et al. A systematic evaluation of novel and existing cache side channels[C]. Network and Distributed System Security (NDSS) Symposium 2025, San Diego, USA, 2025. (查阅网上资料, 未找到本条文献页码, 请确认).
[6]	ABEL A and REINEKE J. uops. info: Characterizing latency, throughput, and port usage of instructions on Intel microarchitectures[C]. Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, Providence, USA, 2019: 673–686. doi: 10.1145/3297858.3304062.
[7]	DAVOLI D, AVANZINI M, and REZK T. On Kernel's safety in the spectre era (and KASLR is formally dead)[C]. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, Salt Lake City, USA, 2024: 1091–1105. doi: 10.1145/3658644.3670332.
[8]	MOMEU M, GAIDIS A J, HEIDT J V D, et al. IUBIK: Isolating user bytes in commodity operating system kernels via memory tagging extensions[C]. 2025 IEEE Symposium on Security and Privacy, San Francisco, USA, 2025: 867–885. doi: 10.1109/SP61157.2025.00135.
[9]	GRAS B, RAZAVI K, BOSMAN E, et al. ASLR on the line: Practical cache attacks on the MMU[C]. Network and Distributed System Security Symposium 2017, San Diego, USA, 2017: 17.
[10]	KOSCHEL J, GIUFFRIDA C, BOS H, et al. TagBleed: Breaking KASLR on the isolated kernel address space using tagged TLBs[C]. 2020 IEEE European Symposium on Security and Privacy, Genoa, Italy, 2020: 309–321. doi: 10.1109/EuroSP48549.2020.00027.
[11]	MAAR L, GINER L, GRUSS D, et al. When good kernel defenses go bad: Reliable and stable kernel exploits via defense-amplified TLB side-channel leaks[C]. The 34rd USENIX Security Symposium: USENIX Security, Seattle, USA, 2025. (查阅网上资料, 未找到本条文献母体文献出版信息和页码, 请确认).
[12]	刘畅, 杨毅, 李昊儒, 等. 处理器分支预测攻击研究综述[J]. 计算机学报, 2022, 45(12): 2475–2509. doi: 10.11897/SP.J.1016.2022.02475. LIU Chang, YANG Yi, LI Haoru, et al. A survey of branch prediction attacks on modern processors[J]. Chinese Journal of Computers, 2022, 45(12): 2475–2509. doi: 10.11897/SP.J.1016.2022.02475.
[13]	HETTERICH L, THOMAS F, GERLACH L, et al. ShadowLoad: Injecting state into hardware prefetchers[C]. Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Rotterdam, Netherlands, 2025: 1060–1075. doi: 10.1145/3676641.3716020.
[14]	LI Shan, XU Zheliang, SHEN Haihua, et al. Oxpecker: Leaking secrets via fetch target queue[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2025, 44(7): 2461–2474. doi: 10.1109/TCAD.2025.3527903.
[15]	CANELLA C, SCHWARZ M, HAUBENWALLNER M, et al. KASLR: Break it, fix it, repeat[C]. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, Taipei, China, 2020: 481–493. doi: 10.1145/3320269.3384747.
[16]	HUND R, WILLEMS C, and HOLZ T. Practical timing side channel attacks against kernel space ASLR[C]. 2013 IEEE Symposium on Security and Privacy, Berkeley, USA, 2013: 191–205. doi: 10.1109/SP.2013.23.
[17]	JIN Yu, WANG Chunlu, QIU Pengfei, et al. Whisper: Timing the transient execution to leak secrets and break KASLR[C]. Proceedings of the 61st ACM/IEEE Design Automation Conference, San Francisco, USA, 2024: 188. doi: 10.1145/3649329.3656213.
[18]	JANG Y, LEE S, and KIM T. Breaking kernel address space layout randomization with Intel TSX[C]. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 2016: 380–392. doi: 10.1145/2976749.2978321.
[19]	HERTOGH M, WIEBING S, and GIUFFRIDA C. Leaky address masking: Exploiting unmasked Spectre gadgets with noncanonical address translation[C]. 2024 IEEE Symposium on Security and Privacy, San Francisco, USA, 2024: 3773–3788. doi: 10.1109/SP54263.2024.00158.
[20]	CHEN Yun, HAJIABADI A, and CARLSON T E. GADGETSPINNER: A new transient execution primitive using the Loop Stream Detector[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, United Kingdom, 2024: 15–30. doi: 10.1109/HPCA57654.2024.00013.
[21]	GRUSS D, LIPP M, SCHWARZ M, et al. KASLR is dead: Long live KASLR[C]. 9th International Symposium on Engineering Secure Software and Systems, Bonn, Germany, 2017: 161–176. doi: 10.1007/978-3-319-62105-0_11.
[22]	LIU W, RAVICHANDRAN J, and YAN Mengjia. EntryBleed: A universal KASLR bypass against KPTI on Linux[C]. Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy, Toronto, Canada, 2023: 10–18. doi: 10.1145/3623652.3623669.
[23]	ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. SegScope: Probing fine-grained interrupts via architectural footprints[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, United Kingdom, 2024: 424–438. doi: 10.1109/HPCA57654.2024.00039.
[24]	ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. ThermalScope: A practical interrupt side channel attack based on thermal event interrupts[C]. Proceedings of the 61st ACM/IEEE Design Automation Conference, San Francisco, USA, 2024: 28. doi: 10.1145/3649329.3656525.
[25]	QUYNH N A. OptiROP: The art of hunting ROP gadgets[J]. Proposal for Blackhat USA, 2013, 8. (查阅网上资料, 不确定本条文献类型及格式是否正确, 请确认).
[26]	刘鹏, 胡文超, 刘德启, 等. 基于指令生成约束的RISC-V测试序列生成方法[J]. 电子与信息学报, 2023, 45(9): 3141–3149. doi: 10.11999/JEIT230480. LIU Peng, HU Wenchao, LIU Deqi, et al. A RISC-V test sequences generation method based on instruction generation constraints[J]. Journal of Electronics & Information Technology, 2023, 45(9): 3141–3149. doi: 10.11999/JEIT230480.
[27]	SCHLÜTER B, SRIDHARA S, BERTSCHI A, et al. WeSee: Using malicious #VC interrupts to break AMD SEV-SNP[C]. 2024 IEEE Symposium on Security and Privacy, San Francisco, USA, 2024: 4220–4238. doi: 10.1109/SP54263.2024.00262.
[28]	SEDDIGH M, ESFAHANI M, BHATTACHARYA S, et al. Breaking KASLR on mobile devices without any use of cache memory[C]. Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security, Los Angeles, USA, 2022: 45–54. doi: 10.1145/3560834.3563823.
[29]	JANG H, KIM T, and SHIN Y. SysBumps: Exploiting speculative execution in system calls for breaking KASLR in macOS for apple silicon[C]. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, Salt Lake City, USA, 2024: 64–78. doi: 10.1145/3658644.3690189.
[30]	赵毅强, 王庆雅, 马浩诚, 等. 基于数据预处理的侧信道分析优化方法[J]. 电子与信息学报, 2023, 45(1): 49–58. doi: 10.11999/JEIT211462. ZHAO Yiqiang, WANG Qingya, MA Haocheng, et al. Side channel analysis optimization method based on data preprocessing[J]. Journal of Electronics & Information Technology, 2023, 45(1): 49–58. doi: 10.11999/JEIT211462.