Medusa: Microarchitectural data leakage via automated attack synthesis

Daniel Moghimi, Moritz Lipp, Berk Sunar, Michael Schwarz

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem Konferenzband

Abstract

In May 2019, a new class of transient execution attack based on Meltdown called microarchitectural data sampling (MDS), was disclosed. MDS enables adversaries to leak secrets across security domains by collecting data from shared CPU resources such as data cache, fill buffers, and store buffers. These resources may temporarily hold data that belongs to other processes and privileged contexts, which could falsely be forwarded to memory accesses of an adversary. We perform an in-depth analysis of these Meltdown-style attacks using our novel fuzzing-based approach. We introduce an analysis tool, named Transynther, which mutates the basic block of existing Meltdown variants to generate and evaluate new Meltdown subvariants. We apply Transynther to analyze modern CPUs and better understand the root cause of these attacks. As a result, we find new variants of MDS that only target specific memory operations, e.g., fast string copies. Based on our findings, we propose a new attack, named Medusa, which can leak data from implicit write-combining memory operations. Since Medusa only applies to specific operations, it can be used to pinpoint vulnerable targets. In a case study, we apply Medusa to recover the key during the RSA signing operation. We show that Medusa can leak various parts of an RSA key during the base64 decoding stage. Then we build leakage templates and recover full RSA keys by employing lattice-based cryptanalysis techniques.

Originalspracheenglisch
TitelProceedings of the 29th USENIX Security Symposium
Herausgeber (Verlag)USENIX Association
Seiten1427-1444
Seitenumfang18
ISBN (elektronisch)9781939133175
PublikationsstatusVeröffentlicht - 1 Jan 2020
Veranstaltung29th USENIX Security Symposium - Virtuell, USA / Vereinigte Staaten
Dauer: 12 Aug 202014 Aug 2020

Publikationsreihe

NameProceedings of the 29th USENIX Security Symposium

Konferenz

Konferenz29th USENIX Security Symposium
LandUSA / Vereinigte Staaten
OrtVirtuell
Zeitraum12/08/2014/08/20

ASJC Scopus subject areas

  • !!Computer Networks and Communications
  • Information systems
  • !!Safety, Risk, Reliability and Quality

Fingerprint Untersuchen Sie die Forschungsthemen von „Medusa: Microarchitectural data leakage via automated attack synthesis“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren