Remote Memory-Deduplication Attacks

Memory utilization can be reduced by merging identical memory blocks into copy-on-write mappings. Previous work showed that this so-called memory deduplication can be exploited in local attacks to break ASLR, spy on other programs, and determine the presence of data, i.e., website images. All these attacks exploit memory deduplication across security domains, which in turn was disabled. However, within a security domain or on an isolated system with no untrusted local access, memory deduplication is still not considered a security risk and was recently re-enabled on Windows by default. In this paper, we present the first fully remote memorydeduplication attacks. Unlike previous attacks, our attacks require no local code execution. Consequently, we can disclose memory contents from a remote server merely by sending and timing HTTP/1 and HTTP/2 network requests. We demonstrate our attacks on deduplication both on Windows and Linux and attack widely used server software such as Memcached and InnoDB. Our side channel leaks up to 34.41B/h over the internet, making it faster than comparable remote memory-disclosure channels. We showcase our remote memory-deduplication attack in three case studies: First, we show that an attacker can disclose the presence of data in memory on a server running Memcached. We show that this information disclosure channel can also be used for fingerprinting and detect the correct libc version over the internet in 166.51 s. Second, in combination with InnoDB, we present an information disclosure attack to leak MariaDB database records. Third, we demonstrate a fully remote KASLR break in less than 4 minutes allowing to derandomize the kernel image of a virtual machine over the Internet, i.e., 14 network hops away. We conclude that memory deduplication must also be considered a security risk if only applied within a single security domain.

[1]  Hai Huang,et al.  Security implications of memory deduplication in a virtualized environment , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[2]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[3]  Michael Schwarz,et al.  KASLR: Break It, Fix It, Repeat , 2020, AsiaCCS.

[4]  Cristiano Giuffrida,et al.  TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs , 2020, 2020 IEEE European Symposium on Security and Privacy (EuroS&P).

[5]  Bernd Prünster,et al.  Prying CoW: Inferring Secrets across Virtual Machine Boundaries , 2019, ICETE.

[6]  Weichao Wang,et al.  Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines , 2011, 30th IEEE International Performance Computing and Communications Conference.

[7]  Stefan Mangard,et al.  Practical Memory Deduplication Attacks in Sandboxed Javascript , 2015, ESORICS.

[8]  Benny Pinkas,et al.  From IP ID to Device ID and KASLR Bypass (Extended Version) , 2019, USENIX Security Symposium.

[9]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[10]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[11]  Mathy Vanhoef HEIST : HTTP Encrypted Information can be Stolen through TCP-windows , 2016 .

[12]  Vishal Saraswat,et al.  Remote cache-timing attacks against AES , 2014, CS2 '14.

[13]  Dan S. Wallach,et al.  Opportunities and Limits of Remote Timing Attacks , 2009, TSEC.

[14]  Herbert Bos,et al.  : Practical Cache Attacks from the Network , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[15]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[16]  Hassan Aly,et al.  Attacking AES Using Bernstein's Attack on Modern Processors , 2013, AFRICACRYPT.

[17]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Mathias Fischer,et al.  A memory-deduplication side-channel attack to detect applications in co-resident virtual machines , 2018, SAC.

[19]  Daniel Gruss,et al.  PLATYPUS: Software-based Power Side-Channel Attacks on x86 , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[20]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[21]  Wouter Joosen,et al.  Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections , 2020, USENIX Security Symposium.

[22]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[23]  Frank Piessens,et al.  Fallout: Leaking Data on Meltdown-resistant CPUs , 2019, CCS.

[24]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[25]  Youngjoo Shin,et al.  Breaking KASLR Using Memory Deduplication in Virtualized Environments , 2021, Electronics.

[26]  Michael Schwarz,et al.  Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors , 2020, AsiaCCS.

[27]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[28]  Herbert Bos,et al.  ASLR on the Line: Practical Cache Attacks on the MMU , 2017, NDSS.

[29]  Hai Huang,et al.  A covert channel construction in a virtualized environment , 2012, CCS '12.

[30]  Cristiano Giuffrida,et al.  Speculative Probing: Hacking Blind in the Spectre Era , 2020, CCS.

[31]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[32]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.

[33]  Darshana Jayasinghe,et al.  Remote Cache Timing Attack on Advanced Encryption Standard and countermeasures , 2010, 2010 Fifth International Conference on Information and Automation for Sustainability.

[34]  Thomas R. Gross,et al.  CAIN: Silently Breaking ASLR in the Cloud , 2015, WOOT.

[35]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.

[36]  Tao Wang,et al.  Cache Timing Attacks on Camellia Block Cipher , 2009, IACR Cryptol. ePrint Arch..

[37]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[38]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[39]  Hai Jin,et al.  CovertInspector: Identification of Shared Memory Covert Timing Channel in Multi-tenanted Cloud , 2015, International Journal of Parallel Programming.