Conference paper Open Access

Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR

Daniel Gruss; Clémentine Maurice; Moritz Lipp; Stefan Mangard; Anders Fogh


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nam##2200000uu#4500</leader>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">ASLR; Kernel Vulnerabilities; Timing Attacks</subfield>
  </datafield>
  <controlfield tag="005">20170908084037.0</controlfield>
  <controlfield tag="001">375513</controlfield>
  <datafield tag="711" ind1=" " ind2=" ">
    <subfield code="d">24-28 October 2016</subfield>
    <subfield code="g">ACM CCS 2016</subfield>
    <subfield code="a">23rd ACM Conference on Computer and Communications Security</subfield>
    <subfield code="c">Vienna, Austria</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Graz</subfield>
    <subfield code="a">Clémentine Maurice</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Graz</subfield>
    <subfield code="a">Moritz Lipp</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Graz</subfield>
    <subfield code="a">Stefan Mangard</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">G DATA Advanced Analytics</subfield>
    <subfield code="a">Anders Fogh</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">878496</subfield>
    <subfield code="z">md5:016ee5926b885249fd30118dd70027b8</subfield>
    <subfield code="u">https://zenodo.org/record/375513/files/2016-ACMCCS-Prefetch-Side-Channel-TUG.pdf</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="y">Conference website</subfield>
    <subfield code="u">https://www.sigsac.org/ccs/CCS2016/</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2016-10-24</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire</subfield>
    <subfield code="p">user-hector</subfield>
    <subfield code="o">oai:zenodo.org:375513</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">TU Graz</subfield>
    <subfield code="a">Daniel Gruss</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">user-hector</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">644052</subfield>
    <subfield code="a">HARDWARE ENABLED CRYPTO AND RANDOMNESS</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">http://creativecommons.org/licenses/by/4.0/legalcode</subfield>
    <subfield code="a">Creative Commons Attribution 4.0 International</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;Modern operating systems use hardware support to protect against control flow hijacking attacks such as code-injection&lt;br&gt;
attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code&lt;br&gt;
pages only. However, current CPUs provide no protection against code-reuse attacks like ROP. ASLR is used to prevent&lt;br&gt;
these attacks by making all addresses unpredictable for an attacker. Hence, the kernel security relies fundamentally&lt;br&gt;
on preventing access to address information. We introduce Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions. This allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch inaccessible privileged memory into various caches on Intel x86. It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties. Our rst attack retrieves an exact image of the full paging hierarchy of a process, defeating both user space and kernel space ASLR. Our second attack resolves virtual to physical addresses to bypass SMAP on 64-bit Linux systems, enabling ret2dir attacks. We demonstrate this from unprivileged user programs on Linux and inside Amazon EC2 virtual machines. Finally, we demonstrate how to defeat kernel ASLR on Windows 10, enabling ROP attacks on kernel and driver binary code. We propose a new form of strong kernel isolation to protect commodity systems incuring an overhead of only 0:06{5:09%.&lt;/p&gt;</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isPreviousVersionOf</subfield>
    <subfield code="a">10.1145/2976749.2978356</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isSupplementedBy</subfield>
    <subfield code="a">10.5281/zenodo.375521</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.375513</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">conferencepaper</subfield>
  </datafield>
</record>
61
25
views
downloads
All versions This version
Views 6161
Downloads 2525
Data volume 22.0 MB22.0 MB
Unique views 6060
Unique downloads 2222

Share

Cite as