A new side-channel attack, KernelSnitch, has been discovered by researchers at Graz University of Technology. This software-based attack exploits timing variances in Linux kernel data structures like hash tables, radix trees, and red-black trees. Unlike hardware-dependent attacks such as Spectre or Meltdown, KernelSnitch targets the kernel’s dynamic data structures to leak sensitive data across isolated processes. The attack is enabled by measuring syscall execution times and inferring kernel data occupancy, which reveals confidential information without the need for privileged access.
KernelSnitch works by exploiting the varying access times of kernel data structures based on their occupancy. By triggering specific syscalls such as futex or msgget, attackers can observe the duration of the operations. Longer syscall durations indicate a higher occupancy of the data structure, which can be used to infer confidential information through precise timing measurements. These variations, as small as 8 CPU cycles, can be magnified using techniques like cache thrashing or manipulating the kernel data structures themselves.
The attack has demonstrated three real-world exploits that highlight its effectiveness.
First, attackers can create a covert channel to communicate maliciously by manipulating hash bucket occupancy, achieving data transmission speeds up to 580 kbit/s with minimal error. Second, KernelSnitch allows attackers to leak kernel heap pointers by forcing hash collisions, which enables precise heap manipulation in less than 65 seconds. Third, the attack can be used for website fingerprinting, where attackers analyze syscall activity during webpage loads, achieving 89% accuracy in identifying websites based on timing patterns.
KernelSnitch is notable because it bypasses hardware mitigations designed for other side-channel attacks, making it more difficult to defend against. It affects all major operating systems using dynamic kernel structures, such as Linux 5.15 to 6.8. Mitigating the attack requires fundamental changes, including constant-time coding practices and namespace isolation to prevent shared structure access across security domains. The researchers stress that this requires architectural shifts, not just incremental patches, to prevent future exploitation as kernel-level attacks become more sophisticated.
