What Is Linear Address Space Separation (LASS) on Intel® Xeon® 6 Processors?

Linear Address Space Separation (LASS) is a hardware-based security feature introduced in Intel® Xeon® 6 processors. It is designed to prevent unauthorized access between user-space and kernel-space memory. It acts as a preventative measure against speculative execution attacks by enforcing strict separation of the virtual address space, effectively preventing user-mode software from accessing kernel-mode memory and vice versa.

Key Features and Benefits

• Mode-Based Access Control: LASS divides the 64-bit virtual address space into two distinct halves: the lower half (user space) and the upper half (kernel space).
• Pre-Paging Protection: Unlike existing security measures (SMEP, SMAP, and paging) that traverse page tables, LASS enforces access restrictions before paging, preventing malicious software from using timing information to determine the layout of kernel memory.
• Security Mitigation: LASS is designed to mitigate speculative execution vulnerabilities. It also acts as a defense against exploitation of weaknesses found in Linear Address Masking (LAM).
• Performance Impact: Because LASS operates at the hardware level without traversing memory paging structures, it provides security without the typical performance overhead associated with complex software-level protections.

How LASS Works on Intel® Xeon® 6 Processors

When LASS is enabled, the processor hardware monitors memory access based on the current CPU privilege level (CPL):

• User Space Access: If user-mode software attempts to access an address in the upper half (kernel space), a General Protection Fault (#GP) is generated.
• Kernel Space Access: If kernel-mode software attempts to access the lower half (user space), a #GP fault is generated.
• Exceptions: The kernel can temporarily suspend LASS restrictions to perform authorized data transfers, such as reading from or writing to user memory.

LASS is supported in 64-bit mode and is particularly relevant for mitigating attacks that use speculative techniques to steal data across user/kernel boundaries.

Linear address-to-physical address mapping is intended to be randomized to help prevent exploits. However, methods have been published to de-map layout randomization.

LASS prevents these methods by separating the supervisor and user address spaces, which stops memory access with malicious intent.

For more details, please visit:

• Hardware Features and Behaviors Related to Speculative Execution
• Linear Address Space Separation (LASS) - 002 - ID:842704 | Intel® Core™ Ultra 200H and 200U Series Processors