A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel

TL;DR

This paper presents a TSX-based side-channel attack method to bypass kernel protection mechanisms like UMIP and descriptor-table exiting, demonstrating potential system compromises across multiple OSes and proposing software mitigations.

Contribution

The paper introduces a novel TSX-based side-channel technique to reveal kernel descriptor addresses, bypassing recent protections like UMIP and VBS, with cross-platform applicability.

Findings

Successfully bypassed UMIP and descriptor-table protections

Demonstrated system compromise on Windows, Linux, and MacOS

Proposed software mitigation with acceptable overhead

Abstract

Nowadays, in operating systems, numerous protection mechanisms prevent or limit the user-mode applicationsto access the kernels internal information. This is regularlycarried out by software-based defenses such as Address Space Layout Randomization (ASLR) and Kernel ASLR(KASLR). They play pronounced roles when the security of sandboxed applications such as Web-browser are considered.Armed with arbitrary write access in the kernel memory, if these protections are bypassed, an adversary could find a suitable where to write in order to get an elevation of privilege or code execution in ring 0. In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep the Intels User-Mode InstructionPrevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, the implementation of the proposed approach on different platforms, including the latest releases of Microsoft Windows, Linux, and, Mac OSX with the latest 9th generation of Intel processors, shows that the proposed mechanism is independent from the Operating System implementation. We demonstrate that a combinationof this method with call-gate mechanism (available in modernprocessors) in a chain of events will eventually lead toa system compromise despite the limitations of a super-secure sandboxed environment in the presence of Windows proprietary Virtualization Based Security (VBS). Finally, we suggest the software-based mitigation to avoid these issues with an acceptable overhead cost.