KernelSnitch – A New Side-Channel Attack Targeting Data Structures

Researchers have disclosed KernelSnitch, a novel side-channel attack exploiting timing variances in Linux kernel data structures, achieving covert data transmission rates up to 580 kbit/s and enabling website fingerprinting with 89% accuracy. 

The attack targets four critical container types: fixed/dynamic hash tables, radix trees, and red-black trees, bypassing hardware-based defenses through software-induced timing leaks.

KernelSnitch exploits the fundamental property that kernel data structures require variable access times depending on their occupancy level – the number of elements stored. Key vulnerable structures include:

• futex_hash_table: Manages Fast User-space Mutex (FUTEX) queues
• posix_timers_hashtable: Stores POSIX timer objects
• ipc_ids.key_ht: Dynamically resizable hash table for IPC objects
• hrtimer_bases.clock_base.active: Red-black tree for high-resolution timers

The attack measures syscall execution times to infer structural changes. For example, sys_futex_wait appends elements to hash buckets, while sys_futex_wake probes occupancy through timed iterations.

To overcome nanosecond-scale timing differences, researchers developed two amplification methods:

Structure-Agnostic: Flushes CPU caches via LLC-sized eviction sets, forcing memory reloads. This converts cache hits to misses, amplifying timing deltas by 347%.

Hardware-Agnostic: Artificially inflates target structures. In futex attacks, appending 64+ queues to a single bucket via repeated sys_futex_wait calls creates measurable 8.2µs timing gaps.

Attack Vectors

Covert Channel Construction

Synchronized processes achieved:

• 580 kbit/s transmission using futex_hash_table
• 528 kbit/s via ipc_ids.key_ht dynamic hash table
• 35 kbit/s through red-black tree operations

Error rates remained below 2.8% using adaptive thresholding.

Kernel Heap Pointer Leak

By exploiting jhash2 collisions in futex hashing, attackers derived mm_struct addresses in ≤65 seconds. This enabled cross-cache reuse attacks, placing msg_msg objects at known locations for privilege escalation.

Website Fingerprinting

Monitoring futex_hash_table occupancy during Firefox browsing sessions generated 300-dimensional timing vectors. A convolutional neural network (CNN) classifier achieved:

• 89.5% F1-score on Ahrefs Top 100 sites
• 93.2% precision distinguishing media-heavy pages

Mitigation Challenges

A team from Graz University of Technology, outlines fundamental defense difficulties:

• Constant-Time Enforcement impractical for unbounded structures
• Namespace Isolation introduces performance overheads
• Timing Source Removal breaks legitimate applications

Proposed solutions include watermark-based execution padding and structure partitioning, but none eliminate leakage completely.

Linux kernel maintainers acknowledged the findings, noting existing KASLR vulnerabilities while emphasizing the novelty of heap pointer leaks. 

The researchers open-sourced attack prototypes and urged reevaluation of kernel data structure security models.

This work highlights the persistent risk of software-induced side channels, proving that even “leakage-free” hardware cannot prevent OS-level information exposure. 

As containerization and real-time systems proliferate, KernelSnitch underscores the need for structural security audits in foundational OS components.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here