AVX Timing Side-Channel Attacks against Address Space Layout Randomization

04/17/2023
by   Hyunwoo Choi, et al.
0

Modern x86 processors support an AVX instruction set to boost performance. However, this extension may cause security issues. We discovered that there are vulnerable properties in implementing masked load/store instructions. Based on this, we present a novel AVX timing side-channel attack that can defeat address space layout randomization. We demonstrate the significance of our attack by showing User and Kernel ASLR breaks on the recent Intel and AMD processors in various environments, including cloud computing systems, an SGX enclave (a fine-grained ASLR break), and major operating systems. We further demonstrate that our attack can be used to infer user behavior, such as Bluetooth events and mouse movements. We highlight that stronger isolation or more fine-grained randomization should be adopted to successfully mitigate our presented attacks.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/29/2019

Fallout: Reading Kernel Writes From User Space

Recently, out-of-order execution, an important performance optimization ...
research
10/07/2019

Measuring Attack Surface Reduction in the Presence of Code (Re-)Randomization

Just-in-time return-oriented programming (JIT-ROP) technique allows one ...
research
05/20/2020

A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

Nowadays, in operating systems, numerous protection mechanisms prevent o...
research
11/26/2022

Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers

Side-channel attacks pose serious threats to many security models, espec...
research
01/03/2018

Meltdown

The security of computer systems fundamentally relies on memory isolatio...
research
01/20/2022

Adelie: Continuous Address Space Layout Re-randomization for Linux Drivers

While address space layout randomization (ASLR) has been extensively stu...
research
07/03/2018

Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption

Heap layout randomization renders a good portion of heap vulnerabilities...

Please sign up or login with your details

Forgot password? Click here to reset