1、LeakingKernelHeap Pointers by ExploitingSoftware-InducedSide-ChannelLeakage of Kernel Hash TablesKernelSnitchLukas MaarJonas JuffingerApril 3-4,2025BRIEFINGSisec.tugraz.atAboutNovel OSsidechannelKernelSnitchTiming side channel:Different access timingsofhash tablesAmplification:Make timing difference
2、 exploitable from userspaceAttack:Kernel heap pointer leak in under 1minFirstheap pointer leak using a side channelLive demo:Leak mm_structaddress1Lukas MaarJonasJuffingerhttps:/lukasmaar.github.io/AboutNovel OSsidechannelKernelSnitchTimingsidechannel:Different access timings of hash tablesAmplifica
3、tion:Make timingdifference exploitable from userspaceAttack:Kernel heap pointer leak in under 1minFirstheap pointer leak using a side channelLive demo:Leak mm_structaddress1Lukas MaarJonasJuffingerhttps:/lukasmaar.github.io/AboutNovel OSsidechannelKernelSnitchTimingsidechannel:Different access timin
4、gs of hash tablesAmplification:Make timing difference exploitable from userspaceAttack:Kernel heap pointer leak in under 1minFirstheap pointer leak using a side channelLive demo:Leak mm_structaddress1Lukas MaarJonasJuffingerhttps:/lukasmaar.github.io/AboutNovel OSsidechannelKernelSnitchTimingsidecha
5、nnel:Different access timings of hash tablesAmplification:Make timing difference exploitable from userspaceAttack:Kernel heap pointer leak in under 1minFirst heap pointer leak using a side channelLive demo:Leak mm_structaddress1Lukas MaarJonasJuffingerhttps:/lukasmaar.github.io/AboutNovel OSsidechan
6、nelKernelSnitchTimingsidechannel:Different access timings of hash tablesAmplification:Make timing difference exploitable from userspaceAttack:Kernel heap pointer leak in under 1minFirst heap pointer leak using a side channelLivedemo:Leak mm_structaddress1Lukas MaarJonasJuffingerhttps:/lukasmaar.gith