Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector

Bosman, Erik; Razavi, Kaveh; Bos, Herbert; Giuffrida, Cristiano

doi:10.1109/sp.2016.63

Cited by 154 publications

(233 citation statements)

References 18 publications

Supporting

Mentioning

180

Contrasting

Unclassified

Order By: Relevance

“…Early projects confronted this challenges by picked random addresses following probabilistic approaches [5,[9][10][11]. In latest works, the exact physical address mapping of all the banks should be known in order to access both rows that are directly above and below the victim one to mount a double-side rowhammer attack.…”

Section: Triggering Rowhammermentioning

confidence: 99%

“…Such addresses are accessed one after the other so as to force the eviction of our aggressor row. This can be achieved through the use of a timing attack to find out the eviction set [12,17,18], or by using reverse engineering study of the Device under attack, focusing on manipulating the complex hash functions used by modern Intel processor to further partition the cache into slices [9]. On another approach proposed in [1], rowhammer is triggered with non-temporal store instructions, specifically libc functions, taking advantages of its cache bypass characteristic.…”

Section: Managing To Activate Rows In Each Bank Fast Enough To Triggementioning

confidence: 99%

“…On the other hand, physical addresses can be accessed through the use of huge virtual pages that are backed by contiguous physical addresses which can use relative offsets to access specific physical memory pages [20]. Note that for the rowhammer bug triggered from a scripting language (e.g., JavaScript) large type arrays that are allocated on 2MB regions are being used and a tool that translates JavaScript arrays indices to physical addresses is required to trigger the bit flips on known physical memory locations [9,17].…”

Section: Access the Aggressor Physical Address From Userlandmentioning

confidence: 99%

See 2 more Smart Citations

Exploiting Hardware Vulnerabilities to Attack Embedded System Devices: a Survey of Potent Microarchitectural Attacks

2017

View full text Add to dashboard Cite

Cyber-Physical system devices nowadays constitute a mixture of Information Technology (IT) and Operational Technology (OT) systems that are meant to operate harmonically under a security critical framework. As security IT countermeasures are gradually been installed in many embedded system nodes, thus securing them from many well-know cyber attacks there is a lurking danger that is still overlooked. Apart from the software vulnerabilities that typical malicious programs use, there are some very interesting hardware vulnerabilities that can be exploited in order to mount devastating software or hardware attacks (typically undetected by software countermeasures) capable of fully compromising any embedded system device. Real-time microarchitecture attacks such as the cache side-channel attacks are such case but also the newly discovered Rowhammer fault injection attack that can be mounted even remotely to gain full access to a device DRAM (Dynamic Random Access Memory). Under the light of the above dangers that are focused on the device hardware structure, in this paper, an overview of this attack field is provided including attacks, threat directives and countermeasures. The goal of this paper is not to exhaustively overview attacks and countermeasures but rather to survey the various, possible, existing attack directions and highlight the security risks that they can pose to security critical embedded systems as well as indicate their strength on compromising the Quality of Service (QoS) such systems are designed to provide.

show abstract

Section: Triggering Rowhammermentioning

confidence: 99%

Section: Managing To Activate Rows In Each Bank Fast Enough To Triggementioning

confidence: 99%

Section: Access the Aggressor Physical Address From Userlandmentioning

confidence: 99%

See 1 more Smart Citation

Exploiting Hardware Vulnerabilities to Attack Embedded System Devices: a Survey of Potent Microarchitectural Attacks

2017

View full text Add to dashboard Cite

show abstract

“…Although ASLR has a wider scope than these schemes (e.g., use-after-free bugs), it can only provide probabilistic safety at best, whereas Delta Pointers provide deterministic (spatial) memory safety guarantees on the upper bound. Because of its probabilistic nature, ASLR has proven to be easily circumventable by memory massaging [16,33] or side channels [5,15,17] whereas this is not possible for deterministic defenses such as Delta Pointers. Moreover, the impact of address space reduction is limited in certain application domains.…”

Section: Pointermentioning

confidence: 99%

Delta pointers

Kroes

Koning

Kouwe

et al. 2018

Proceedings of the Thirteenth EuroSys Conference

Self Cite

View full text Add to dashboard Cite

Despite decades of research, buffer overflows still rank among the most dangerous vulnerabilities in unsafe languages such as C and C++. Compared to other memory corruption vulnerabilities, buffer overflows are both common and typically easy to exploit. Yet, they have proven so challenging to detect in real-world programs that existing solutions either yield very poor performance, or introduce incompatibilities with the C/C++ language standard.We present Delta Pointers, a new solution for buffer overflow detection based on efficient pointer tagging. By carefully altering the pointer representation, without violating language specifications, Delta Pointers use existing hardware features to detect both contiguous and non-contiguous overflows on dereferences, without a single check incurring extra branch or memory access operations. By focusing on buffer overflows rather than other vulnerabilities (e.g., underflows), Delta Pointers offer a unique checkless design to provide high performance while still maintaining compatibility. We show that Delta Pointers are effective in detecting arbitrary buffer overflows and, at 35% overhead on SPEC, offer much better performance than competing solutions. CCS CONCEPTS· Security and privacy → Systems security; Software and application security;

show abstract

“…One of the most widely implemented techniques is Address Space Layout Randomization (ASLR) [29], which aims at preventing the attacker from gaining crucial information about the program's memory structure. However, researchers showed that ASLR is vulnerable to application-specific information leaks [35] along with OSbased [6] and hardware-based [15], [18] side-channels. Another popular mitigation is Write XOR Execute (W⊕X), also called Data Execution Prevention (DEP) [26] in Windows.…”

Section: Introductionmentioning

confidence: 99%

Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

Biondo¹,

Conti²,

Lain³

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

In this paper, we show a significant design vulnerability in Windows CFG and propose a specific attack to exploit it: the Back to The Epilogue (BATE) attack. We show that with BATE an attacker can completely evade from CFG and transfer control to any location, thus obtaining arbitrary code execution. BATE leverages the tradeoff of CFG between precision, performance, and backwards compatibility; in particular, the latter one motivates 16-byte address granularity in some circumstances. This vulnerability, inherent to the CFG design, allows us to call portions of code (gadgets) that should not be allowed, and that we can chain together to escape CFG. These gadgets are very common: we ran a thorough evaluation of Windows system libraries, and found many high value targets -exploitable gadgets in code loaded by almost all the applications on 32-bit systems and by web browsers on 64-bit. We also demonstrate the real-world feasibility of our attack by using it to build a remote code execution exploit against the Microsoft Edge web browser running on 64-bit Windows 10. Finally, we discuss possible countermeasures to BATE.

show abstract

Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector

Cited by 154 publications

References 18 publications

Exploiting Hardware Vulnerabilities to Attack Embedded System Devices: a Survey of Potent Microarchitectural Attacks

Exploiting Hardware Vulnerabilities to Attack Embedded System Devices: a Survey of Potent Microarchitectural Attacks

Delta pointers

Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

Contact Info

Product

Resources

About