Speculative Probing

Göktaş, Enes; Razavi, Kaveh; Portokalidis, Georgios; Bos, Herbert; Giuffrida, Cristiano

doi:10.1145/3372297.3417289

Cited by 21 publications

(8 citation statements)

References 56 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are two broad categories of approaches to exploiting OS kernels to leak information. One category is side-channel-based approaches, like micro-architectural side-channel attacks [22], [24]. The other category is memory-error-based approaches [33], where attackers exploit memory errors present in kernels to leak information.…”

Section: Introductionmentioning

confidence: 99%

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Liang,

Zou,

Song

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The severity of information leak (infoleak for short) in OS kernels cannot be underestimated, and various exploitation techniques have been proposed to achieve infoleak in OS kernels. Among them, memory-error-based infoleak is powerful and widely used in real-world exploits. However, existing approaches to finding memory-error-based infoleak lack the systematic reasoning about its search space, and do not fully explore the search space. Consequently, they fail to exploit a large number of memory errors in the kernel. According to a theoretical modeling of memory errors, the actual search space of such approach is huge, as multiple steps could be involved in the exploitation process, and virtually any memory error can be exploited to achieve infoleak. To bridge the gap between the theory and reality, we propose a framework K-LEAK to facilitate generating memory-error-based infoleak exploits in the Linux kernel. K-LEAK considers infoleak exploit generation as a data-flow search problem. By modeling unintended data flows introduced by memory errors, and how existing memory errors can create new memory errors, K-LEAK can systematically search for infoleak data-flow paths in a multistep manner. We implement a prototype of K-LEAK and evaluate it with memory errors from syzbot and CVEs. The evaluation results demonstrate the effectiveness of K-LEAK in generating diverse infoleak exploits using various multi-step strategies.

show abstract

Section: Introductionmentioning

confidence: 99%

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Liang,

Zou,

Song

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…In fact, the disclosure gadget alone only leaves a microarchitectural trace in the cache but does not leak it to the attacker. Therefore, we need to build a valid channel across privilege boundaries (e.g., a shared F+R buffer [93,124,159]).…”

Section: Reload[*secret_byte * 4096];mentioning

confidence: 99%

“…Moreover, our analysis is by no means exhaustive, only focusing on the most "convenient" disclosure gadgets. For instance, one may want to exploit the kernel with a more classic Prime + Probe covert channel [93], loosening the requirements for the disclosure gadget. Or one may consider control over the stack, unlocking more complex gadgets, such as the one used in Section 6.6.2.…”

Section: Indirect-branch Targetsmentioning

confidence: 99%

“…Spectre [159] and Meltdown [190] set the stage for a large body of transient execution attacks [1,45,93,162,200,235,236,250,252,270,285,286,288,316]. In this work we focus on Branch Target Injection, also dubbed Spectre v2, and specifically focus on the security guarantees and limitations of related defenses.…”

Section: Related Workmentioning

confidence: 99%

“…Of all the transient execution vulnerabilities [1,45,93,159,162,190,200,235,236,250,252,270,285,286,288,316] discovered since the first disclosure of such issues in 2018 [124], one of the most worrisome was Branch Target Injection (BTI or Spectre v2 [159]). As the name suggests, it allows attackers to inject speculative branch targets into a victim's context-while also ignoring the architectural privilege boundaries [44,159].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Exploiting Hardware from Software

Frigo

View full text Add to dashboard Cite

In recent years we observed a deepening integration between hardware and software; we now have dedicated hardware for all sorts of applications and software heavily optimized for the underlying hardware. And while this allowed modern systems to keep up with the increasing demand for performance, this new paradigm came at the cost of a more complex hardware-software stack. Unfortunately, between the cracks of these two domains, we notice a new class of attacks gaining momentum: software-based hardware attacks. As the name suggests, these attacks target underlying hardware vulnerabilities while being leveraged from software—notorious examples being the Rowhammer bug, Spectre, and Meltdown. In this thesis, we perform an in-depth attack surface analysis of different software-based hardware vulnerabilities while revisiting some of the assumptions upon which the current attacks and defenses are built. More specifically, we deepen the understanding of the DRAM Rowhammer bug from various perspectives: we show how it represents a serious threat to various targets such as mobile devices, web browsers, and Deep Neural Networks; and, we demonstrate that the silver-bullet defense introduced on DDR4 devices against the issue—in-DRAM Target Row Refresh—does not prevent an attacker from triggering bit-flips on millions of devices previously deemed safe. On top of that, we investigate the effectiveness of hardware defenses introduced against the recent Spectre bug and show how those deployed to prevent cross-privilege Spectre attacks are incomplete, allowing attackers to build new exploits.

show abstract

Diminisher: A Linux Kernel Based Countermeasure for TAA Vulnerability

Hamza

Mushtaq

Bhatti

et al. 2022

Computer Security. ESORICS 2021 International Workshops

View full text Add to dashboard Cite

TSX Asynchronous Abort (TAA) vulnerability is a class of Side-Channel Attack (SCA) that allows an application to leak data from internal CPU buffers through asynchronous Transactional Synchronization Extension (TSX) aborts that are exploited by the recent Microarchitectural Data Sampling (MDS) attacks. Cross-core TAA attacks can be prevented through microcode updates where CPU buffers are flushed during Operating System (OS) context switching, but there is no solution to our knowledge that exists for hyper-threaded TAA attacks in which the attacker leaks data from sibling hardware threads through asynchronous abort. In this work, we have proposed Diminisher, a Linux kernel-based detection and mitigation solution for both hyper-threaded and cross-core TAA attacks. Diminisher can be logically divided into three phases, i.e., scheduling, detection, and mitigation. Diminisher is a lightweight tool to prevent TAA vulnerability. The novelty lies in the methodology that we propose enabling easy extensions to cover other hyper-threaded attacks for which no satisfactory solutions exist yet. Diminisher detects and mitigates the TAA attacks around 99% of the time at a low-performance overhead of 2.5%.

show abstract

Speculative Probing

Cited by 21 publications

References 56 publications

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Exploiting Hardware from Software

Diminisher: A Linux Kernel Based Countermeasure for TAA Vulnerability

Contact Info

Product

Resources

About