Lukas Maar of Graz University of Technology examines how timing and microarchitectural side channels undermine kernel memory randomization and enable reliable disclosure of security-critical object locations.
Modern kernel defenses rely on memory randomization to prevent exploitation, yet subtle system behaviors continue to expose object locations. Timing variations in software data structures and microarchitectural effects in address translation reveal measurable signals that undermine these protections.
This session presents two timing side-channel attacks that derandomize the locations of security-critical kernel objects in the latest Linux kernel. By combining software-induced and hardware-induced techniques, attackers can infer kernel heap, stack and metadata locations without triggering instability or crashes - a crucial prerequisite for most modern kernel exploits.
In this session, led by Lukas Maar, postdoctoral researcher at Graz University of Technology, you will learn:
- How timing differences in kernel data structures leak object locality;
- How microarchitectural behavior in address translation reveals mapped kernel memory locations;
- Why defensive trade-offs between performance optimization and security hardening create unintended information leakage that amplifies exploit reliability.
Here is the course outline:
Derandomizing Kernel Object Locations With Software- and Hardware-Induced Side Channels |
Completion
The following certificates are awarded when the course is completed:
 |
CPE Credit Certificate |
