Derandomizing the Location of Security-Critical Kernel Objects in the Linux Kernel

In this talk, we will present a novel timing side-channel attack on the TLB, combined with kernel allocator massaging, to derandomize the location of security-critical kernel objects in the latest Linux kernel. We call these location disclosure attacks, as they reveal memory layout information, an essential step for most modern kernel exploits.

In contrast to prior TLB side-channel attacks, which reveal only coarse-grained memory locations (e.g., physical mapping base address or code segment), our attack is the first to leak the locations of security-critical kernel objects, including kernel heap objects, page tables, and the kernel stack. Using our location disclosure combined with memory corruption attacks significantly enhances the stability and reliability of kernel exploitation. Our approach enables new exploit techniques as well as re-enables previously mitigated ones.

We conduct an in-depth root cause analysis of this side channel, examining how TLB leakage arises. Specifically, we show how design decisions in kernel defenses and the kernel memory allocator unintentionally facilitate these attacks, making location leakage possible.

Finally, we show an end-to-end attack in which an unprivileged user leaks most of the security-critical kernel objects within seconds on a recent Intel CPU and an up-to-date Ubuntu Linux kernel.

By:
Lukas Maar | InfoSec Researcher, Graz University of Technology
Lukas Giner | InfoSec Researcher, Graz University of Technology

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/...