Page Cache Attacks

We present a new side-channel attack that targets one of the most fundamental software caches in modern computer systems: the operating system page cache. The page cache is a pure software cache that contains all disk-backed pages, including program binaries, shared libraries, and other files. On Windows, dynamic pages are also part of this cache and can be attacked as well, e.g., data, heap, and stacks. Our side channel permits unprivileged monitoring of accesses to these pages of other processes, with a spatial resolution of 4kB and a temporal resolution of 2µs on Linux (≤6.7 measurements per second), and 466ns on Windows 10 (≤223 measurements per second). We systematically analyze the side channel by demonstrating different hardware-agnostic local attacks, including a sandbox-bypassing high-speed covert channel, an ASLR break on Windows 10, and various information leakages that can be used for targeted extortion, spam campaigns, and more directly for UI redressing attacks. We also show that, as with hardware cache attacks, we can attack the generation of temporary passwords on vulnerable cryptographic implementations. Our hardware-agnostic attacks can be mitigated with our proposed security patches, but the basic side channel remains exploitable via timing measurements. We demonstrate this with a remote covert channel exfiltrating information from a colluding process through innocuous server requests.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Edgar R. Weippl,et al.  Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam , 2011, IEEE Internet Computing.

[3]  Kay Römer,et al.  Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud , 2017, NDSS.

[4]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[5]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[6]  Aggelos Kiayias,et al.  I Forgot Your Password: Randomness Attacks Against PHP Applications , 2012, USENIX Security Symposium.

[7]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[8]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[9]  M. Gribaudo,et al.  2002 , 2001, Cell and Tissue Research.

[10]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[11]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[12]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[13]  XiaoFeng Wang,et al.  Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems , 2009, USENIX Security Symposium.

[14]  Gorka Irazoqui Apecechea,et al.  Cross Processor Cache Attacks , 2016, IACR Cryptol. ePrint Arch..

[15]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[16]  Hai Huang,et al.  Security implications of memory deduplication in a virtualized environment , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[17]  Weichao Wang,et al.  Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines , 2011, 30th IEEE International Performance Computing and Communications Conference.

[18]  Stefan Mangard,et al.  KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks , 2018, NDSS.

[19]  Stefan Mangard,et al.  Practical Memory Deduplication Attacks in Sandboxed Javascript , 2015, ESORICS.

[20]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[21]  Gernot Heiser,et al.  The Last Mile: An Empirical Study of Timing Channels on seL4 , 2014, CCS.

[22]  Ruby B. Lee,et al.  Analyzing Cache Side Channels Using Deep Neural Networks , 2018, ACSAC.

[23]  Zhenhai Duan,et al.  Understanding Forgery Properties of Spam Delivery Paths , 2010 .

[24]  Aurélien Francillon,et al.  C5: Cross-Cores Cache Covert Channel , 2015, DIMVA.

[25]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[26]  Srikanth V. Krishnamurthy,et al.  Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries , 2019, NDSS.

[27]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[28]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[29]  Yuval Yarom,et al.  Another Flip in the Wall of Rowhammer Defenses , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[30]  Thomas R. Gross,et al.  CAIN: Silently Breaking ASLR in the Cloud , 2015, WOOT.

[31]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[32]  Zhenkai Liang,et al.  I Know Where You've Been: Geo-Inference Attacks via the Browser Cache , 2015, IEEE Internet Computing.

[33]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[34]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[35]  Mark B. Friedman Windows NT Page Replacement Policies , 1999, Int. CMG Conference.

[36]  Dan S. Wallach,et al.  Opportunities and Limits of Remote Timing Attacks , 2009, TSEC.

[37]  Mark Russinovich,et al.  Windows Internals - Parts 1 and 2 , 2012 .

[38]  Baptiste Gourdin Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks , 2010, WOOT.

[39]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[40]  Peter J. Denning,et al.  The working set model for program behavior , 1968, CACM.

[41]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[42]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[43]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[44]  Song Jiang,et al.  CLOCK-Pro: An Effective Improvement of the CLOCK Replacement , 2005, USENIX Annual Technical Conference, General Track.

[45]  Hai Huang,et al.  A covert channel construction in a virtualized environment , 2012, CCS '12.

[46]  Zhenyu Wu,et al.  Whispers in the Hyper-Space: High-Bandwidth and Reliable Covert Channel Attacks Inside the Cloud , 2015, IEEE/ACM Transactions on Networking.

[47]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.

[48]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[49]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[50]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[51]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[52]  John L. Hennessy,et al.  WSCLOCK—a simple and effective algorithm for virtual memory management , 1981, SOSP.

[53]  John V. Monaco SoK: Keylogging Side Channels , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[54]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[55]  Herbert Bos,et al.  Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks , 2018, USENIX Security Symposium.

[56]  Herbert Bos,et al.  ASLR on the Line: Practical Cache Attacks on the MMU , 2017, NDSS.

[57]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.

[58]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[59]  Peter J. Denning,et al.  Working Sets Past and Present , 1980, IEEE Transactions on Software Engineering.

[60]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[61]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[62]  Thomas Eisenbarth,et al.  Cache-Based Application Detection in the Cloud Using Machine Learning , 2017, AsiaCCS.

[63]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[64]  Kevin Borders,et al.  Social networks and context-aware spam , 2008, CSCW.

[65]  Mel Gorman,et al.  Understanding the Linux Virtual Memory Manager , 2004 .

[66]  Gorka Irazoqui Apecechea,et al.  Cache Attacks Enable Bulk Key Recovery on the Cloud , 2016, CHES.

[67]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[68]  Jörg Schwenk,et al.  UI Redressing Attacks on Android Devices , 2012 .

[69]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[70]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[71]  Ari Trachtenberg,et al.  Cashing in on the File-System Cache , 2018, CCS.