KernelSnitch: Leaking Kernel Heap Pointers by Exploiting Software-Induced Side-Channel Leakage
Black Hat Asia 2025 · Day 2 · Briefings
This presentation introduces **KernelSnitch**, a novel operating system side channel attack that leverages timing differences in kernel hash table accesses to leak security-critical kernel heap pointers. Presented by Lucas Ma and Jonas, both PhD candidates at Graz University of Technology, the talk demonstrates a practical, unprivileged user-space attack capable of leaking the address of the `mm_struct`—a crucial kernel data structure—in under one minute. This research highlights a largely unexplored area of operating system security, proving that even in a world free of hardware and application-level side channels, the operating system itself can introduce exploitable leakage.
AI review
KernelSnitch unveils a groundbreaking, software-induced operating system side channel that reliably leaks security-critical kernel heap pointers from unprivileged user space. This novel attack, which exploits timing differences in kernel hash table accesses, fundamentally enhances the stability of kernel exploitation by providing a non-crashing KASLR bypass for heap objects. The research demonstrates impressive technical depth, robust leakage amplification, and critically, exposes an unmitigated vulnerability in the upstream Linux kernel, making it essential viewing for anyone serious about…