Remote Memory-Deduplication Attacks

Activity: Talk or presentationTalk at conference or symposiumScience to public


Cloud providers use memory deduplication to reduce the memory utilization of their systems. Memory deduplication merges memory pages with identical content and maps them under a copy-on-write semantic. Previous work showed that memory deduplication can be exploited in a local scenario to perform ASLR breaks, Rowhammer attacks and fingerprint applications.
Countermeasures have been proposed to disable memory deduplication across security domains. Memory deduplication was re-enabled within a security domain on Windows as well as on Linux server systems.

In this talk, we will present remote memory-deduplication attacks. We will show that memory-deduplication attacks are not only limited to local code execution by mounting powerful attacks over the internet. We will demonstrate that web applications that use in-memory caching like Memcached can be remotely exploited without any user interaction. An attacker can use this remote timing side channel to leak sensitive information. Using amplification, our side channel leaks up to 34.41 B/h across the internet (14 hops). We will show how fingerprinting can be performed on operating systems and shared libraries. Our remote KASLR break can break KASLR on a remote server in a few minutes via both HTTP/1.1 and HTTP/2. By using a leakage primitive to change the alignment of attacker-controlled data, we enable byte-by-byte data leakage of MySQL database records.

We will evaluate state-of-the-art mitigations and argue that some are insufficient to mitigate remote memory-deduplication attacks.
Finally, we will outline challenges for future research on remote memory-deduplication attacks.
Period12 May 2022
Event titleBlack Hat Asia 2022
Event typeConference
LocationVirtuell, SingaporeShow on map
Degree of RecognitionInternational