The paper proposes side channel attacks to undermine the kernel space Address Space Layout Randomization used by Windows machines. The ASLR technique used by Windows since Vista allocated a large kernel space and then randomly loads the kernel image and the HAL at one of 64 slots. This leads to virtual address randomization in the Kernel region. A similar technique is used for the drivers. The paper proposes three attacks on ASLR 1. By probing the L3 cache to decipher the PA mappings using a contiguous eviction buffer and in turn find the VA from which the ASLR bits can be deciphered. Attack on the KiFastCallEntry from SYSENTER since offset of this function is fixed and known from the Kernel base Address. 2. By using double fault and exploiting the TLB to reconstruct allocation of kernel space - After one page fault of a kernel page, the attacker accesses the page again. If the page is allocated then TLB hit otherwise a TLB miss and therefore unallocated page. Memory allocation signature used for identifying drivers using their INIT section for the load address. 3.By preloading the address translation cache - First this attack flushes all the caches using the eviction buffer and then executes a kernel code to "preload" the cache. Then it generates a page fault by jumping to some kernel space address. In case the address is in the same range then the page fault handler will take less time due to already present address translation information. This attack can be used to identify memory pages in the kernel region as well as virtual address by studying the image module.

The paper finally points out the limitations in the randomness used by Windows for ASLR which is not truly random. The paper also proposes a normalization timing scheme so that an unauthorized access of a priviledged page causes the page fault handler to return to the user mode after a constant number of clock cycles. The paper also reverse Engineers the hash function used by Sandybridge .

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6547110