Remote Memory-Deduplication Attacks

11/16/2021
by   Martin Schwarzl, et al.
0

Memory utilization can be reduced by merging identical memory blocks into copy-on-write mappings. Previous work showed that this so-called memory deduplication can be exploited in local attacks to break ASLR, spy on other programs,and determine the presence of data, i.e., website images. All these attacks exploit memory deduplication across security domains, which in turn was disabled. However, within a security domain or on an isolated system with no untrusted local access, memory deduplication is still not considered a security risk and was recently re-enabled on Windows by default. In this paper, we present the first fully remote memorydeduplication attacks. Unlike previous attacks, our attacks require no local code execution. Consequently, we can disclose memory contents from a remote server merely by sending and timing HTTP/1 and HTTP/2 network requests. We demonstrate our attacks on deduplication both on Windows and Linux and attack widely used server software such as Memcached and InnoDB. Our side channel leaks up to 34.41 B/h over the internet, making it faster than comparable remote memory-disclosure channels. We showcase our remote memory-deduplication attack in three case studies: First, we show that an attacker can disclose the presence of data in memory on a server running Memcached. We show that this information disclosure channel can also be used for fingerprinting and detect the correct libc version over the internet in 166.51 s. Second, in combination with InnoDB, we present an information disclosure attack to leak MariaDB database records. Third, we demonstrate a fully remote KASLR break in less than 4 minutes allowing to derandomize the kernel image of a virtual machine over the Internet, i.e., 14 network hops away. We conclude that memory deduplication must also be considered a security risk if only applied within a single security domain.

READ FULL TEXT

page 1

page 9

page 14

research
11/16/2021

Practical Timing Side Channel Attacks on Memory Compression

Compression algorithms are widely used as they save memory without losin...
research
05/13/2018

Nethammer: Inducing Rowhammer Faults through Network Requests

A fundamental assumption in software security is that memory contents do...
research
07/27/2018

NetSpectre: Read Arbitrary Memory over Network

In this paper, we present NetSpectre, a generic remote Spectre variant 1...
research
09/14/2017

REMOTEGATE: Incentive-Compatible Remote Configuration of Security Gateways

Imagine that a malicious hacker is trying to attack a server over the In...
research
05/06/2021

Attestation Waves: Platform Trust via Remote Power Analysis

Attestation is a strong tool to verify the integrity of an untrusted sys...
research
05/20/2020

A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

Nowadays, in operating systems, numerous protection mechanisms prevent o...
research
08/25/2023

Implementing Snort Intrusion Prevention System (IPS) for Network Forensic Analysis

The security trade confidentiality, integrity and availability are the m...

Please sign up or login with your details

Forgot password? Click here to reset