University of Oulu

Karvandi, M.S., Khalaj Monfared, S., Kiarostami, M.S., Rahmati, D., Gorgin, S. (2022). A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table Exiting. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham.

A TSX-based KASLR break : bypassing UMIP and descriptor-table exiting

Saved in:
Author: Karvandi, Mohammad Sina1; Khalaj Monfared, Saleh1; Kiarostami, Mohammad Sina2;
Organizations: 1School of Computer Science, Institute For Research in Fundamental Sciences (IPM), Tehran, Iran
2Center for Ubiquitous Computing, Faculty of ITEE, University of Oulu, Oulu, Finland
3Computer Science and engineering Department, Shahid Beheshti University, Tehran, Iran
Format: article
Version: accepted version
Access: embargoed
Persistent link:
Language: English
Published: Springer Nature, 2022
Publish Date: 2023-04-09


In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel leakage to break the KASLR and reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, one could execute instructions to sidestep Intel’s User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced method is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, we demonstrate that a combination of this method with a call-gate mechanism (available in modern processors) in a chain of events will eventually lead to a system compromise despite the restrictions of a super-secure sandbox in the presence of Windows’s proprietary Virtualization Based Security (VBS). Finally, we suggest software-based mitigation to avoid these issues with an acceptable overhead cost.

see all

Series: Lecture notes in computer science
ISSN: 0302-9743
ISSN-E: 1611-3349
ISSN-L: 0302-9743
Volume: 13204
Pages: 38 - 54
DOI: 10.1007/978-3-031-02067-4_3
Host publication: Risks and security of internet and systems : CRiSIS 2021
Conference: International conference on risks and security of internet and systems
Type of Publication: A4 Article in conference proceedings
Field of Science: 113 Computer and information sciences
Copyright information: © 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG. This version of the article has been accepted for publication, after peer review (when applicable) and is subject to Springer Nature’s AM terms of use, but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: