Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

June 21, 2018 ~ hucktech ~ Leave a comment

The slides of my #AsiaCCS18 talk "Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features" are now online: https://t.co/qMtro4dbnM /cc @lavados @mlqxyz @BloodyTangerine @anders_fogh pic.twitter.com/8r0EDizPzh

— Michael Schwarz (@misc0110) June 7, 2018

This is a really cool paper. They use Flush+Reload to automatically detect double fetches, then basically fuzz the second fetch to generate a crash for !exploitable, and use xbegin/xend to fix them. https://t.co/rQUubvqpGt

— Thomas H. Ptacek (@tqbf) June 7, 2018

Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level. We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform state-of-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97%. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention, both in trusted execution environments as well as in syscalls, with a performance overhead below 1%.

https://arxiv.org/abs/1711.01254

Click to access double_fetch_slides.pdf

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

June 11, 2018 ~ hucktech ~ Leave a comment

The slides of my #AsiaCCS18 talk "Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features" are now online: https://t.co/qMtro4dbnM /cc @lavados @mlqxyz @BloodyTangerine @anders_fogh pic.twitter.com/8r0EDizPzh

— Michael Schwarz (@misc0110) June 7, 2018

This is a really cool paper. They use Flush+Reload to automatically detect double fetches, then basically fuzz the second fetch to generate a crash for !exploitable, and use xbegin/xend to fix them. https://t.co/rQUubvqpGt

— Thomas H. Ptacek (@tqbf) June 7, 2018

I mentioned this before, but everyone seems to have forgotten sgrakkyu/twiz exploited "double fetch" before "double fetch" was a thing, back in 2007: https://t.co/tfEaoqprN9 (2.4.2), see also this from 2008: https://t.co/s6vvJ5L69j

— grsecurity (@grsecurity) June 7, 2018

https://arxiv.org/abs/1711.01254

Click to access 1711.01254.pdf

NetHammer

May 15, 2018 ~ hucktech ~ Leave a comment

Nethammer is another Rowhammer attack via network packets.

Apparently the Nethammer team got scooped by the Throwhammer research.

I feel your pain, guys. I truly truly feel your pain! :)))

PDF: https://t.co/ED10WHahWm pic.twitter.com/E85KGrLtzK

— Catalin Cimpanu (@campuscodi) May 15, 2018

M. Lipp et al., “Nethammer: Inducing Rowhammer Faults through Network Requests” [arXiv version] https://t.co/C12F1ixGKk

— Arrigo Triulzi (@cynicalsecurity) May 15, 2018

Nethammer: Inducing Rowhammer Faults through Network Requests

(Submitted on 13 May 2018)

A fundamental assumption in software security is that memory contents do not change unless there is a legitimate deliberate modification. Classical fault attacks show that this assumption does not hold if the attacker has physical access. Rowhammer attacks showed that local code execution is already sufficient to break this assumption. Rowhammer exploits parasitic effects in DRAM to modify the content of a memory cell without accessing it. Instead, other memory locations are accessed at a high frequency. All Rowhammer attacks so far were local attacks, running either in a scripted language or native code. In this paper, we present Nethammer. Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer. Other systems can still be attacked if they are protected with quality-of-service techniques like Intel CAT. We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios. Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We investigated Nethammer on personal computers, servers, and mobile phones. Nethammer is a security landslide, making the formerly local attack a remote attack.

https://arxiv.org/abs/1805.04956

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

November 6, 2017 ~ hucktech ~ Leave a comment

Wu Cache Clan, “Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features” https://t.co/kTQRGUJWJk

— Arrigo Triulzi (@cynicalsecurity) November 6, 2017

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
Michael Schwarz, Daniel Gruss, Moritz Lipp, Clémentine Maurice, Thomas Schuster, Anders Fogh, Stefan Mangard
(Submitted on 3 Nov 2017)

https://arxiv.org/abs/1711.01254

Malware Guard Extension: Using SGX to Conceal Cache Attacks

March 2, 2017 ~ hucktech ~ Leave a comment

"Malware Guard Extension: Using SGX to Conceal Cache Attacks" https://t.co/kDP9kBONNa
/cc @rootkovska @iamcorso @JethroGB

— JP Aumasson (@veorq) March 1, 2017

Malware Guard Extension: Using SGX to Conceal Cache Attacks
Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard
(Submitted on 28 Feb 2017 (v1), last revised 1 Mar 2017 (this version, v2))
In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.

https://arxiv.org/abs/1702.08719

Exploiting Intel DRAM

November 30, 2015 ~ hucktech ~ Leave a comment

Work in progress: Reverse Engineering Intel DRAM Addressing: https://t.co/OQFtyerN1h, we are still evaluating this attack cross-CPU

— Daniel Gruss (@lavados) November 30, 2015

Reverse Engineering Intel DRAM Addressing and Exploitation
Peter Pessl, Daniel Gruss, Clémentine Maurice, Stefan Mangard

In this paper, we present a method to reverse engineer DRAM addressing functions based on a physical bus probing. Second, we present an automatic and generic method to reverse engineer DRAM addressing functions merely from performing a timing attack. This timing attack can be performed on any system without privileges and even in virtual machines to derive information about the mapping to physical DRAM channels, ranks and banks. We reversed the complex adressing functions on a diverse set of Intel processors and DRAM configurations. Our work enables side-channel attacks and covert channels based on inner-bank row conflicts and overlaps. Thus, our attack does not exploit the CPU as a shared resource, but only the DRAM that might even be shared across multiple CPUs. We demonstrate the power of such attacks by implementing a high speed covert channel that achieves transmission rates of up to 1.5Mb/s, which is three orders of magnitude faster than current covert channels on main memory. Finally, we show how our results can be used to increase the efficiency of the Rowhammer attack significantly by reducing the search space by a factor of up to 16384.

http://arxiv.org/abs/1511.08756