A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

Nowadays, in operating systems, numerous protection mechanisms prevent or limit the user-mode applications to access the kernel's internal information. This is regularly carried out by software-based defenses such as Address Space Layout Randomization (ASLR) and Kernel ASLR (KASLR). They play pronounced roles when the security of sandboxed applications such as Web-browser are considered. Armed with arbitrary write access in the kernel memory, if these protections are bypassed, an attacker could find a suitable Where to Write in order to get an elevation of privilege or maliciously execute codes in ring 0. In this paper, we introduce a reliable method based on Transactional Synchronization Extensions (TSX) side-channel attacks to reveal the address of the Global Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that by detecting these addresses, an attack could be executed to sidestep the Intel's User-Mode Instruction Prevention (UMIP) and the Hypervisor-based mitigation and, consequently, neutralized them. The introduced attack is successfully performed after the most recent patches for Meltdown and Spectre. Moreover, the implementation of the proposed attack on different platforms, including the latest releases of Microsoft Windows, Linux, and, Mac OSX with the latest $9^{th}$ generation of Intel processors, shows that the attack is independent of the Operating System implementation. We demonstrate that a combination of this method with call-gate mechanism (available in modern processors) in a chain of attacks will eventually lead to a full system compromise despite the limitations of a super-secure sandboxed environment in the presence of Windows's proprietary Virtualization Based Security (VBS). Finally, we suggest the software-based mitigation to avoid these attacks with an acceptable cost

Unlucky Explorer: A Complete non-Overlapping Map Exploration

Nowadays, the field of Artificial Intelligence in Computer Games (AI in Games) is going to be more alluring since computer games challenge many aspects of AI with a wide range of problems, particularly general problems. One of these kinds of problems is Exploration, which states that an unknown environment must be explored by one or several agents. In this work, we have first introduced the Maze Dash puzzle as an exploration problem where the agent must find a Hamiltonian Path visiting all the cells. Then, we have investigated to find suitable methods by a focus on Monte-Carlo Tree Search (MCTS) and SAT to solve this puzzle quickly and accurately. An optimization has been applied to the proposed MCTS algorithm to obtain a promising result. Also, since the prefabricated test cases of this puzzle are not large enough to assay the proposed method, we have proposed and employed a technique to generate solvable test cases to evaluate the approaches. Eventually, the MCTS-based method has been assessed by the auto-generated test cases and compared with our implemented SAT approach that is considered a good rival. Our comparison indicates that the MCTS-based approach is an up-and-coming method that could cope with the test cases with small and medium sizes with faster run-time compared to SAT. However, for certain discussed reasons, including the features of the problem, tree search organization, and also the approach of MCTS in the Simulation step, MCTS takes more time to execute in Large size scenarios. Consequently, we have found the bottleneck for the MCTS-based method in significant test cases that could be improved in two real-world problems