Prefetch Side-Channel Attacks: Bypassing SMAP and kernel ASLR

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. However, current CPUs provide no protection against code-reuse attacks like ROP. ASLR is used to prevent these attacks by making all addresses unpredictable for an attacker. Hence, the kernel security relies fundamentally on preventing access to address information. We introduce Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions. This allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch inaccessible privileged memory into various caches on Intel x86. It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties. Our first attack retrieves an exact image of the full paging hierarchy of a process, defeating both user space and kernel space ASLR. Our second attack resolves virtual to physical addresses to bypass SMAP on 64-bit Linux systems, enabling ret2dir attacks. We demonstrate this from unprivileged user programs on Linux and inside Amazon EC2 virtual machines. Finally, we demonstrate how to defeat kernel ASLR on Windows 10, enabling ROP attacks on kernel and driver binary code. We propose a new form of strong kernel isolation to protect commodity systems incuring an overhead of only 0.06-5.09%.

Originalspracheenglisch
TitelCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Herausgeber (Verlag)Association of Computing Machinery
Seiten368-379
Seitenumfang12
Band24-28-October-2016
ISBN (elektronisch)9781450341394
DOIs
PublikationsstatusVeröffentlicht - 24 Okt 2016
Veranstaltung23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Österreich
Dauer: 24 Okt 201628 Okt 2016

Konferenz

Konferenz23rd ACM Conference on Computer and Communications Security, CCS 2016
LandÖsterreich
OrtVienna
Zeitraum24/10/1628/10/16

    Fingerprint

Schlagwörter

    ASJC Scopus subject areas

    • Software
    • !!Computer Networks and Communications

    Dieses zitieren

    Gruss, D., Maurice, C., Fogh, A., Lipp, M., & Mangard, S. (2016). Prefetch Side-Channel Attacks: Bypassing SMAP and kernel ASLR. in CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Band 24-28-October-2016, S. 368-379). Association of Computing Machinery. https://doi.org/10.1145/2976749.2978356