The DrK Attack - Proof of concept
Branch: master
Clone or download
Yeongjin Jang
Yeongjin Jang x
Latest commit dfbd450 Jan 8, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
common initial Oct 20, 2016
linux check if processor supports Intel TSX Oct 26, 2016
Makefile initial Oct 20, 2016 x Jan 8, 2018
timing-mu.png initial Oct 20, 2016
timing-x-nx.png initial Oct 20, 2016

The DrK (De-randomizing Kernel ASLR) attack

DrK is an attack that breaks kernel address space layout randomization (KASLR) by exploiting TLB and decoded i-cache side channel. To reliably exploit the side channels, the DrK attack took advantage of Intel TSX (Transactional Synchronization eXtension). One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turns this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged kernel address space. Since such behavior is on the hardware level, DrK is universally applicable to all OSes, even in virtualized environments, and generates no visible footprint, making it difficult to detect in practice. Therefore, DrK can break the KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second.

More details


Timing (click the image to watch the video)

[Timing Demo] (

Full attack on Linux (click the image to watch the video)

[Full attack on Linux] (


Run make on the directory of this repository.

Example: Timing demo

Run cd timing; ./

Example: Breaking KASLR in Linux

Run cd linux; ./