Abstract:To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-… Show more
“…There are two broad categories of approaches to exploiting OS kernels to leak information. One category is side-channel-based approaches, like micro-architectural side-channel attacks [22], [24]. The other category is memory-error-based approaches [33], where attackers exploit memory errors present in kernels to leak information.…”
The severity of information leak (infoleak for short) in OS kernels cannot be underestimated, and various exploitation techniques have been proposed to achieve infoleak in OS kernels. Among them, memory-error-based infoleak is powerful and widely used in real-world exploits. However, existing approaches to finding memory-error-based infoleak lack the systematic reasoning about its search space, and do not fully explore the search space. Consequently, they fail to exploit a large number of memory errors in the kernel. According to a theoretical modeling of memory errors, the actual search space of such approach is huge, as multiple steps could be involved in the exploitation process, and virtually any memory error can be exploited to achieve infoleak. To bridge the gap between the theory and reality, we propose a framework K-LEAK to facilitate generating memory-error-based infoleak exploits in the Linux kernel. K-LEAK considers infoleak exploit generation as a data-flow search problem. By modeling unintended data flows introduced by memory errors, and how existing memory errors can create new memory errors, K-LEAK can systematically search for infoleak data-flow paths in a multistep manner. We implement a prototype of K-LEAK and evaluate it with memory errors from syzbot and CVEs. The evaluation results demonstrate the effectiveness of K-LEAK in generating diverse infoleak exploits using various multi-step strategies.
“…There are two broad categories of approaches to exploiting OS kernels to leak information. One category is side-channel-based approaches, like micro-architectural side-channel attacks [22], [24]. The other category is memory-error-based approaches [33], where attackers exploit memory errors present in kernels to leak information.…”
The severity of information leak (infoleak for short) in OS kernels cannot be underestimated, and various exploitation techniques have been proposed to achieve infoleak in OS kernels. Among them, memory-error-based infoleak is powerful and widely used in real-world exploits. However, existing approaches to finding memory-error-based infoleak lack the systematic reasoning about its search space, and do not fully explore the search space. Consequently, they fail to exploit a large number of memory errors in the kernel. According to a theoretical modeling of memory errors, the actual search space of such approach is huge, as multiple steps could be involved in the exploitation process, and virtually any memory error can be exploited to achieve infoleak. To bridge the gap between the theory and reality, we propose a framework K-LEAK to facilitate generating memory-error-based infoleak exploits in the Linux kernel. K-LEAK considers infoleak exploit generation as a data-flow search problem. By modeling unintended data flows introduced by memory errors, and how existing memory errors can create new memory errors, K-LEAK can systematically search for infoleak data-flow paths in a multistep manner. We implement a prototype of K-LEAK and evaluate it with memory errors from syzbot and CVEs. The evaluation results demonstrate the effectiveness of K-LEAK in generating diverse infoleak exploits using various multi-step strategies.
“…In fact, the disclosure gadget alone only leaves a microarchitectural trace in the cache but does not leak it to the attacker. Therefore, we need to build a valid channel across privilege boundaries (e.g., a shared F+R buffer [93,124,159]).…”
Section: Reload[*secret_byte * 4096];mentioning
confidence: 99%
“…Moreover, our analysis is by no means exhaustive, only focusing on the most "convenient" disclosure gadgets. For instance, one may want to exploit the kernel with a more classic Prime + Probe covert channel [93], loosening the requirements for the disclosure gadget. Or one may consider control over the stack, unlocking more complex gadgets, such as the one used in Section 6.6.2.…”
Section: Indirect-branch Targetsmentioning
confidence: 99%
“…Spectre [159] and Meltdown [190] set the stage for a large body of transient execution attacks [1,45,93,162,200,235,236,250,252,270,285,286,288,316]. In this work we focus on Branch Target Injection, also dubbed Spectre v2, and specifically focus on the security guarantees and limitations of related defenses.…”
Section: Related Workmentioning
confidence: 99%
“…Of all the transient execution vulnerabilities [1,45,93,159,162,190,200,235,236,250,252,270,285,286,288,316] discovered since the first disclosure of such issues in 2018 [124], one of the most worrisome was Branch Target Injection (BTI or Spectre v2 [159]). As the name suggests, it allows attackers to inject speculative branch targets into a victim's context-while also ignoring the architectural privilege boundaries [44,159].…”
In recent years we observed a deepening integration between hardware and software; we now have dedicated hardware for all sorts of applications and software heavily optimized for the underlying hardware. And while this allowed modern systems to keep up with the increasing demand for performance, this new paradigm came at the cost of a more complex hardware-software stack.
Unfortunately, between the cracks of these two domains, we notice a new class of attacks gaining momentum: software-based hardware attacks. As the name suggests, these attacks target underlying hardware vulnerabilities while being leveraged from software—notorious examples being the Rowhammer bug, Spectre, and Meltdown.
In this thesis, we perform an in-depth attack surface analysis of different software-based hardware vulnerabilities while revisiting some of the assumptions upon which the current attacks and defenses are built. More specifically, we deepen the understanding of the DRAM Rowhammer bug from various perspectives: we show how it represents a serious threat to various targets such as mobile devices, web browsers, and Deep Neural Networks; and, we demonstrate that the silver-bullet defense introduced on DDR4 devices against the issue—in-DRAM Target Row Refresh—does not prevent an attacker from triggering bit-flips on millions of devices previously deemed safe.
On top of that, we investigate the effectiveness of hardware defenses introduced against the recent Spectre bug and show how those deployed to prevent cross-privilege Spectre attacks are incomplete, allowing attackers to build new exploits.
TSX Asynchronous Abort (TAA) vulnerability is a class of Side-Channel Attack (SCA) that allows an application to leak data from internal CPU buffers through asynchronous Transactional Synchronization Extension (TSX) aborts that are exploited by the recent Microarchitectural Data Sampling (MDS) attacks. Cross-core TAA attacks can be prevented through microcode updates where CPU buffers are flushed during Operating System (OS) context switching, but there is no solution to our knowledge that exists for hyper-threaded TAA attacks in which the attacker leaks data from sibling hardware threads through asynchronous abort. In this work, we have proposed Diminisher, a Linux kernel-based detection and mitigation solution for both hyper-threaded and cross-core TAA attacks. Diminisher can be logically divided into three phases, i.e., scheduling, detection, and mitigation. Diminisher is a lightweight tool to prevent TAA vulnerability. The novelty lies in the methodology that we propose enabling easy extensions to cover other hyper-threaded attacks for which no satisfactory solutions exist yet. Diminisher detects and mitigates the TAA attacks around 99% of the time at a low-performance overhead of 2.5%.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.