Breaking KASLR and Stealing Pixels: The Reality of Software-Based Power Side-Channels

TLDR: Modern CPUs expose power-monitoring interfaces like RAPL that can be accessed by unprivileged users to infer sensitive data. By measuring energy consumption, researchers can bypass KASLR and even perform pixel-stealing attacks on GPU-rendered content. This research proves that power side-channels are no longer limited to physical access and represent a genuine threat to multi-tenant environments.

Hardware-level side-channel attacks have moved far beyond the need for an oscilloscope and a physical connection to a target’s power supply. The research presented at Black Hat 2023 on Collide+Power demonstrates that the software-based power interfaces we once considered benign are actually high-fidelity sensors for an attacker. If you are performing a red team engagement or a penetration test in a cloud environment, you need to understand that the CPU itself is leaking information about the instructions and data it processes.

The Mechanics of Power Leakage

At the heart of this issue is the Running Average Power Limit (RAPL) interface. Originally designed to help the operating system manage power consumption and thermal throttling, RAPL provides a set of model-specific registers that report energy usage. Historically, these interfaces were often left accessible to unprivileged users.

The attack methodology is straightforward. An attacker runs a process on the same physical core as the victim, utilizing hyper-threading or SMT. By monitoring the energy consumption reported by RAPL, the attacker can infer what the victim is doing. Because different instructions and different data operands trigger different switching behaviors in the CMOS transistors, the power signature changes. When the victim accesses a specific memory address, the power consumption fluctuates in a way that is measurable through these software interfaces.

For a pentester, this means you can effectively "see" into the victim's execution flow. You do not need to exploit a memory corruption bug to gain information; you simply need to be a noisy neighbor.

Breaking KASLR and Stealing Pixels

One of the most compelling demonstrations in this research is the use of power side-channels to break Kernel Address Space Layout Randomization (KASLR). By repeatedly accessing memory slots and measuring the energy cost of those accesses, an attacker can determine which slots are mapped. A successful access to a mapped kernel page results in a different power signature than an access to an unmapped page. This allows an attacker to de-randomize the kernel memory layout in seconds, providing the necessary map for a subsequent exploit.

The research also extends to the GPU. Since integrated GPUs share power constraints with the CPU on the same SoC, CPU throttling can be used as a proxy to measure GPU activity. In a pixel-stealing attack, the attacker monitors the power consumption while a victim renders a screen. Because bright pixels and dark pixels have different energy costs, the attacker can reconstruct the rendered image by analyzing the power traces. This is not just theoretical; it is a direct path to exfiltrating sensitive information displayed in a browser or a secure application window.

Practical Engagement Considerations

If you are testing a multi-tenant cloud environment, you should check the accessibility of power-monitoring interfaces. On a Linux system, you can check if your user has read access to the energy files:

cat /sys/class/powercap/intel-rapl/intel-rapl:0/energy_uj

If this command returns a value without requiring root privileges, the system is potentially vulnerable to these side-channel techniques. During an assessment, you can use taskset to pin your monitoring process to the same physical core as the target process to maximize the signal-to-noise ratio:

taskset -c 0 ./monitor_process

The impact here is significant. In a shared hosting or cloud environment, this technique allows an attacker to bypass traditional process isolation. While the data rate is currently low—often measured in bits per hour—it is more than enough to leak cryptographic keys, bypass security mitigations like KASLR, or exfiltrate small amounts of sensitive data over time.

The Defensive Reality

Mitigating these attacks is notoriously difficult because the underlying issue is a fundamental design choice in modern high-performance CPUs. The industry has largely responded by restricting access to power interfaces, requiring root or administrative privileges to read RAPL registers. While this prevents the most trivial exploits, it does not solve the root cause.

Defenders must recognize that power management is a security-critical component. If you are managing infrastructure, ensure that your kernel is patched and that access to power-monitoring interfaces is strictly limited. However, do not assume that these restrictions provide total immunity. As long as the hardware continues to expose power-related telemetry to optimize performance, side-channel vulnerabilities will persist.

Focus your efforts on monitoring for anomalous process behavior and restricting the ability of untrusted code to run on the same physical cores as sensitive workloads. The era of ignoring hardware-level side-channels is over. Treat the CPU's power consumption as a sensitive data stream, and you will be one step ahead of the next wave of research.