Derandomizing the Location of Security-Critical Kernel Objects in the Linux Kernel
Black Hat USA 2025 · Day 1 · Briefings
Researchers Lukas Maar and Lukas Giner from Graz University of Technology present a TLB timing side-channel attack that defeats KASLR (Kernel Address Space Layout Randomization) by revealing the precise locations of security-critical kernel objects — pipe buffers, message-message objects, page tables, and the kernel stack — without requiring any kernel vulnerability. Combined with an existing exploit primitive (the "unlink" write), the technique converts a limited capability into a fully arbitrary kernel read/write primitive, demonstrated live on the latest Linux kernel with a privilege escalation to root. ---
AI review
Graz delivers a complete, weaponized microarchitectural attack chain: TLB timing from unprivileged user space, KASLR defeated without any kernel bug, existing security defenses exploited to amplify granularity from 2 MB to 4 KB, and a live demo converting a constrained unlink primitive to arbitrary kernel read/write to root. Near-100% reliability on kernels 5.15 through 6.8. This is serious kernel exploitation research.