ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

Gras, Ben; Giuffrida, Cristiano; Kurth, Michael; Bos, Herbert; Razavi, Kaveh

doi:10.14722/ndss.2020.23018

Cited by 44 publications

(29 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ABSynthe [15] and Osiris [48] automatically discover unknown side channels. In contrast, Revizor detects unknown speculative leaks into a known side-channel (e.g.…”

Section: Related Workmentioning

confidence: 99%

Revizor: testing black-box CPUs against speculation contracts

Oleksenko

Fetzer

Köpf

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Speculative vulnerabilities such as Spectre and Meltdown expose speculative execution state that can be exploited to leak information across security domains via side-channels. Such vulnerabilities often stay undetected for a long time as we lack the tools for systematic testing of CPUs to find them.In this paper, we propose an approach to automatically detect microarchitectural information leakage in commercial black-box CPUs. We build on speculation contracts, which we employ to specify the permitted side effects of program execution on the CPU's microarchitectural state. We propose a Model-based Relational Testing (MRT) technique to empirically assess the CPU compliance with these specifications.We implement MRT in a testing framework called Revizor, and showcase its effectiveness on real Intel x86 CPUs. Revizor automatically detects violations of a rich set of contracts, or indicates their absence. A highlight of our findings is that Revizor managed to automatically surface Spectre, MDS, and LVI, as well as several previously unknown variants. CCS CONCEPTS• Security and privacy → Side-channel analysis and countermeasures.

show abstract

“…ABSynthe [15] and Osiris [48] automatically discover unknown side channels. In contrast, Revizor detects unknown speculative leaks into a known side-channel (e.g.…”

Section: Related Workmentioning

confidence: 99%

Revizor: testing black-box CPUs against speculation contracts

Oleksenko

Fetzer

Köpf

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

“…Other fuzzing proposals use genetic algorithms to direct input generation towards interesting paths [48], [54]. Recently fuzzing has also been used to discover side channels both in software and in the microarchitecture [59], [21], [40], [18]. ct-fuzz [27] used fuzzing to discover timing side channels in cryptographic implementations.…”

Section: Fuzzing To Discover Side Channelsmentioning

confidence: 99%

Practical Timing Side Channel Attacks on Memory Compression

Schwarzl¹,

Borrello²,

Saileshwar³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Microarchitectural attacks. While early microarchitectural attacks such as classic cache side-channel attacks [69,98] or even more recent attacks [5,24,37,38,67,93] primarily focus on breaking crypto implementations, there is a large body of work on microarchitectural attacks to support software exploitation. Such attacks typically use side-channel disclosure to mimic limited memory read primitives [12,26,39] and fault attacks like Rowhammer to mimic limited memory write primitives [12,20,28,29,42,72,76,85,86,92].…”

Section: Related Workmentioning

confidence: 99%

Speculative Probing

Göktaş

Razavi

Portokalidis

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-resistant. Moreover, the anomalously large number of crashes is often easily detectable. In this paper, we show that the Spectre era enables an attacker armed with a single memory corruption vulnerability to hack blind without triggering any crashes. Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects. Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectrelike attacks. The key idea behind speculative probing is to break Spectre mitigations using memory corruption and resurrect Spectrestyle disclosure primitives to mount practical blind software exploits. To showcase speculative probing, we target the Linux kernel, a crash-sensitive victim that has so far been out of reach of blind attacks, mount end-to-end exploits that compromise the system with just-in-time code reuse and data-only attacks from a single memory write vulnerability, and bypass strong Spectre and strong randomization defenses. Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threat models to fully comprehend the attack surface of modern systems. CCS CONCEPTS • Security and privacy → Operating systems security.

show abstract

ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

Cited by 44 publications

References 34 publications

Revizor: testing black-box CPUs against speculation contracts

Revizor: testing black-box CPUs against speculation contracts

Practical Timing Side Channel Attacks on Memory Compression

Speculative Probing

Contact Info

Product

Resources

About