Citation: | LI Zhouyang, QIU Pengfei, QING Yu, WANG Chunlu, WANG Dongsheng. Automated Discovery of Exploitable Instruction Patterns for KASLR Circumvention[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250366 |
[1] |
SHACHAM H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, USA, 2007: 552–561. doi: 10.1145/1315245.131531.
|
[2] |
HAN S, KIM S J, SHIN W, et al. Page-oriented programming: Subverting control-flow integrity of commodity operating system kernels with non-writable code pages[C]. Proceedings of the 33rd USENIX Conference on Security Symposium, Philadelphia, USA, 2024: 12.
|
[3] |
GRUSS D, MAURICE C, FOGH A, et al. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR[C]. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 2016: 368–379. doi: 10.1145/2976749.2978356.
|
[4] |
CHOI H, KIM S, and SHIN S. AVX timing side-channel attacks against address space layout randomization[C]. 2023 60th ACM/IEEE Design Automation Conference, San Francisco, USA, 2023: 1–6. doi: 10.1109/DAC56929.2023.10247741.
|
[5] |
RAUSCHER F, FIEDLER C, KOGLER A, et al. A systematic evaluation of novel and existing cache side channels[C]. Network and Distributed System Security (NDSS) Symposium 2025, San Diego, USA, 2025. (查阅网上资料, 未找到本条文献页码, 请确认).
|
[6] |
ABEL A and REINEKE J. uops. info: Characterizing latency, throughput, and port usage of instructions on Intel microarchitectures[C]. Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, Providence, USA, 2019: 673–686. doi: 10.1145/3297858.3304062.
|
[7] |
DAVOLI D, AVANZINI M, and REZK T. On Kernel's safety in the spectre era (and KASLR is formally dead)[C]. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, Salt Lake City, USA, 2024: 1091–1105. doi: 10.1145/3658644.3670332.
|
[8] |
MOMEU M, GAIDIS A J, HEIDT J V D, et al. IUBIK: Isolating user bytes in commodity operating system kernels via memory tagging extensions[C]. 2025 IEEE Symposium on Security and Privacy, San Francisco, USA, 2025: 867–885. doi: 10.1109/SP61157.2025.00135.
|
[9] |
GRAS B, RAZAVI K, BOSMAN E, et al. ASLR on the line: Practical cache attacks on the MMU[C]. Network and Distributed System Security Symposium 2017, San Diego, USA, 2017: 17.
|
[10] |
KOSCHEL J, GIUFFRIDA C, BOS H, et al. TagBleed: Breaking KASLR on the isolated kernel address space using tagged TLBs[C]. 2020 IEEE European Symposium on Security and Privacy, Genoa, Italy, 2020: 309–321. doi: 10.1109/EuroSP48549.2020.00027.
|
[11] |
MAAR L, GINER L, GRUSS D, et al. When good kernel defenses go bad: Reliable and stable kernel exploits via defense-amplified TLB side-channel leaks[C]. The 34rd USENIX Security Symposium: USENIX Security, Seattle, USA, 2025. (查阅网上资料, 未找到本条文献母体文献出版信息和页码, 请确认).
|
[12] |
刘畅, 杨毅, 李昊儒, 等. 处理器分支预测攻击研究综述[J]. 计算机学报, 2022, 45(12): 2475–2509. doi: 10.11897/SP.J.1016.2022.02475.
LIU Chang, YANG Yi, LI Haoru, et al. A survey of branch prediction attacks on modern processors[J]. Chinese Journal of Computers, 2022, 45(12): 2475–2509. doi: 10.11897/SP.J.1016.2022.02475.
|
[13] |
HETTERICH L, THOMAS F, GERLACH L, et al. ShadowLoad: Injecting state into hardware prefetchers[C]. Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Rotterdam, Netherlands, 2025: 1060–1075. doi: 10.1145/3676641.3716020.
|
[14] |
LI Shan, XU Zheliang, SHEN Haihua, et al. Oxpecker: Leaking secrets via fetch target queue[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2025, 44(7): 2461–2474. doi: 10.1109/TCAD.2025.3527903.
|
[15] |
CANELLA C, SCHWARZ M, HAUBENWALLNER M, et al. KASLR: Break it, fix it, repeat[C]. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, Taipei, China, 2020: 481–493. doi: 10.1145/3320269.3384747.
|
[16] |
HUND R, WILLEMS C, and HOLZ T. Practical timing side channel attacks against kernel space ASLR[C]. 2013 IEEE Symposium on Security and Privacy, Berkeley, USA, 2013: 191–205. doi: 10.1109/SP.2013.23.
|
[17] |
JIN Yu, WANG Chunlu, QIU Pengfei, et al. Whisper: Timing the transient execution to leak secrets and break KASLR[C]. Proceedings of the 61st ACM/IEEE Design Automation Conference, San Francisco, USA, 2024: 188. doi: 10.1145/3649329.3656213.
|
[18] |
JANG Y, LEE S, and KIM T. Breaking kernel address space layout randomization with Intel TSX[C]. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 2016: 380–392. doi: 10.1145/2976749.2978321.
|
[19] |
HERTOGH M, WIEBING S, and GIUFFRIDA C. Leaky address masking: Exploiting unmasked Spectre gadgets with noncanonical address translation[C]. 2024 IEEE Symposium on Security and Privacy, San Francisco, USA, 2024: 3773–3788. doi: 10.1109/SP54263.2024.00158.
|
[20] |
CHEN Yun, HAJIABADI A, and CARLSON T E. GADGETSPINNER: A new transient execution primitive using the Loop Stream Detector[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, United Kingdom, 2024: 15–30. doi: 10.1109/HPCA57654.2024.00013.
|
[21] |
GRUSS D, LIPP M, SCHWARZ M, et al. KASLR is dead: Long live KASLR[C]. 9th International Symposium on Engineering Secure Software and Systems, Bonn, Germany, 2017: 161–176. doi: 10.1007/978-3-319-62105-0_11.
|
[22] |
LIU W, RAVICHANDRAN J, and YAN Mengjia. EntryBleed: A universal KASLR bypass against KPTI on Linux[C]. Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy, Toronto, Canada, 2023: 10–18. doi: 10.1145/3623652.3623669.
|
[23] |
ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. SegScope: Probing fine-grained interrupts via architectural footprints[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, United Kingdom, 2024: 424–438. doi: 10.1109/HPCA57654.2024.00039.
|
[24] |
ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. ThermalScope: A practical interrupt side channel attack based on thermal event interrupts[C]. Proceedings of the 61st ACM/IEEE Design Automation Conference, San Francisco, USA, 2024: 28. doi: 10.1145/3649329.3656525.
|
[25] |
QUYNH N A. OptiROP: The art of hunting ROP gadgets[J]. Proposal for Blackhat USA, 2013, 8. (查阅网上资料, 不确定本条文献类型及格式是否正确, 请确认).
|
[26] |
刘鹏, 胡文超, 刘德启, 等. 基于指令生成约束的RISC-V测试序列生成方法[J]. 电子与信息学报, 2023, 45(9): 3141–3149. doi: 10.11999/JEIT230480.
LIU Peng, HU Wenchao, LIU Deqi, et al. A RISC-V test sequences generation method based on instruction generation constraints[J]. Journal of Electronics & Information Technology, 2023, 45(9): 3141–3149. doi: 10.11999/JEIT230480.
|
[27] |
SCHLÜTER B, SRIDHARA S, BERTSCHI A, et al. WeSee: Using malicious #VC interrupts to break AMD SEV-SNP[C]. 2024 IEEE Symposium on Security and Privacy, San Francisco, USA, 2024: 4220–4238. doi: 10.1109/SP54263.2024.00262.
|
[28] |
SEDDIGH M, ESFAHANI M, BHATTACHARYA S, et al. Breaking KASLR on mobile devices without any use of cache memory[C]. Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security, Los Angeles, USA, 2022: 45–54. doi: 10.1145/3560834.3563823.
|
[29] |
JANG H, KIM T, and SHIN Y. SysBumps: Exploiting speculative execution in system calls for breaking KASLR in macOS for apple silicon[C]. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, Salt Lake City, USA, 2024: 64–78. doi: 10.1145/3658644.3690189.
|
[30] |
赵毅强, 王庆雅, 马浩诚, 等. 基于数据预处理的侧信道分析优化方法[J]. 电子与信息学报, 2023, 45(1): 49–58. doi: 10.11999/JEIT211462.
ZHAO Yiqiang, WANG Qingya, MA Haocheng, et al. Side channel analysis optimization method based on data preprocessing[J]. Journal of Electronics & Information Technology, 2023, 45(1): 49–58. doi: 10.11999/JEIT211462.
|