Intel’s LASS Continues Linux Kernel Push: New Security Mechanism Fights Side-Channel Attacks

Intel continues its development of the Linear Address Space Separation (LASS) security mechanism for the Linux kernel. The initial set of patches emerged as early as January 2023, and over two years have since passed. Today, developers have released the sixth revision of these updates, though full integration into the mainline kernel remains a work in progress.

LASS is designed to bolster the operating system’s defenses against side-channel attacks. Support for this technology first appeared in the Sierra Forest server processors and was later implemented in the Xeon 6 series. Although these processors are already available on the market, Linux kernel support for LASS is still incomplete.

Intel engineer Kirill Shutemov, who is responsible for the development of the patches, explains that the aim of LASS is to prevent unauthorized access to virtual addresses between user and privileged modes. While similar protections already exist in the form of SMEP and SMAP, these rely on page table traversal, which introduces potential vulnerabilities—malicious software could exploit timing measurements to infer the structure of the kernel’s address space.

Unlike conventional page-level protection, LASS functions before the page tables are even processed. This means a potential attacker cannot leverage cache data, TLB contents, page table walk mechanisms, or other means to deduce memory layout. LASS eliminates the feasibility of side-channel analysis via double page faults, TLB flushes, or speculative data loads.

The latest version of the patches improves the violation reporting system, clarifies error messages, and introduces various additional refinements. It remains uncertain whether this iteration will be deemed sufficient for inclusion in the next stable kernel release, but those interested can review the updates via the Linux kernel developers’ mailing list.