proposal draft 1
This commit is contained in:
parent
172da4ca29
commit
d080a2352d
10 changed files with 249 additions and 307 deletions
|
|
@ -1,54 +1,103 @@
|
|||
@inproceedings{tugraz:tlbsidechannel,
|
||||
title = "When Good Kernel Defenses Go Bad: Reliable and Stable Kernel
|
||||
Exploits via Defense-Amplified TLB Side-Channel Leaks",
|
||||
abstract = "Over the past decade, the Linux kernel has seen a significant
|
||||
number of memory-safety vulnerabilities. However, exploiting
|
||||
these vulnerabilities becomes substantially harder as defenses
|
||||
increase. A fundamental defense of the Linux kernel is the
|
||||
randomization of memory locations for security-critical objects,
|
||||
which greatly limits or prevents exploitation.In this paper, we
|
||||
show that we can exploit side-channel leakage in defenses to leak
|
||||
the locations of security-critical kernel objects. These location
|
||||
disclosure attacks enable successful exploitations on the latest
|
||||
Linux kernel, facilitating reliable and stable system compromise
|
||||
both with re-enabled and new exploit techniques. To identify
|
||||
side-channel leakages of defenses, we systematically analyze 127
|
||||
defenses. Based on this analysis, we show that enabling any of 3
|
||||
defenses – enforcing strict memory permissions or virtualizing
|
||||
the kernel heap or kernel stack – allows us to obtain
|
||||
fine-grained TLB contention patterns via an Evict+Reload TLB
|
||||
side-channel attack. We combine these patterns with kernel
|
||||
allocator massaging to present location disclosure attacks,
|
||||
leaking the locations of kernel objects, i.e., heap objects, page
|
||||
tables, and stacks. To demonstrate the practicality of these
|
||||
attacks, we evaluate them on recent Intel CPUs and multiple
|
||||
kernel versions, with a runtime of 0.3 s to 17.8 s and almost no
|
||||
false positives. Since these attacks work due to side-channel
|
||||
leakage in defenses, we argue that the virtual stack defense
|
||||
makes the system less secure.",
|
||||
author = "Lukas Maar and Lukas Giner and Daniel Gruss and Stefan Mangard",
|
||||
year = "2025",
|
||||
month = aug,
|
||||
day = "13",
|
||||
language = "English",
|
||||
series = "Proceedings of the 34rd USENIX Security Symposium",
|
||||
publisher = "USENIX Association",
|
||||
booktitle = "Proceedings of the 34rd USENIX Security Symposium",
|
||||
address = "United States",
|
||||
note = "34th USENIX Security Symposium : USENIX Security 2025, USENIX'25 ;
|
||||
Conference date: 13-08-2025 Through 15-08-2025",
|
||||
url = "https://www.usenix.org/conference/usenixsecurity25",
|
||||
}
|
||||
|
||||
@inproceedings{tugraz:prefetch,
|
||||
author = {Gruss, Daniel and Maurice, Clementine and Fogh, Anders and Lipp,
|
||||
Moritz and Mangard, Stefan},
|
||||
title = {Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR},
|
||||
year = {2016},
|
||||
isbn = {9781450341394},
|
||||
publisher = {Association for Computing Machinery},
|
||||
address = {New York, NY, USA},
|
||||
url = {https://doi.org/10.1145/2976749.2978356},
|
||||
doi = {10.1145/2976749.2978356},
|
||||
abstract = {Modern operating systems use hardware support to protect against
|
||||
control-flow hijacking attacks such as code-injection attacks.
|
||||
Typically, write access to executable pages is prevented and
|
||||
kernel mode execution is restricted to kernel code pages only.
|
||||
However, current CPUs provide no protection against code-reuse
|
||||
attacks like ROP. ASLR is used to prevent these attacks by making
|
||||
all addresses unpredictable for an attacker. Hence, the kernel
|
||||
security relies fundamentally on preventing access to address
|
||||
information. We introduce Prefetch Side-Channel Attacks, a new
|
||||
class of generic attacks exploiting major weaknesses in prefetch
|
||||
instructions. This allows unprivileged attackers to obtain
|
||||
address information and thus compromise the entire system by
|
||||
defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch
|
||||
inaccessible privileged memory into various caches on Intel x86.
|
||||
It also leaks the translation-level for virtual addresses on both
|
||||
Intel x86 and ARMv8-A. We build three attacks exploiting these
|
||||
properties. Our first attack retrieves an exact image of the full
|
||||
paging hierarchy of a process, defeating both user space and
|
||||
kernel space ASLR. Our second attack resolves virtual to physical
|
||||
addresses to bypass SMAP on 64-bit Linux systems, enabling
|
||||
ret2dir attacks. We demonstrate this from unprivileged user
|
||||
programs on Linux and inside Amazon EC2 virtual machines. Finally
|
||||
, we demonstrate how to defeat kernel ASLR on Windows 10,
|
||||
enabling ROP attacks on kernel and driver binary code. We propose
|
||||
a new form of strong kernel isolation to protect commodity
|
||||
systems incuring an overhead of only 0.06-5.09\%.},
|
||||
booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and
|
||||
Communications Security},
|
||||
pages = {368–379},
|
||||
numpages = {12},
|
||||
keywords = {timing attacks, kernel vulnerabilities, ASLR},
|
||||
location = {Vienna, Austria},
|
||||
series = {CCS '16},
|
||||
}
|
||||
|
||||
@inproceedings{DBLP:conf/sc/AndreadisVMI18,
|
||||
author = {Georgios Andreadis and
|
||||
Laurens Versluis and
|
||||
Fabian Mastenbroek and
|
||||
Alexandru Iosup},
|
||||
title = {A reference architecture for datacenter scheduling: design, validation,
|
||||
and experiments},
|
||||
booktitle = {Proceedings of the International Conference for High Performance Computing,
|
||||
Networking, Storage, and Analysis, {SC} 2018, Dallas, TX, USA, November
|
||||
11-16, 2018},
|
||||
pages = {37:1--37:15},
|
||||
publisher = {{IEEE} / {ACM}},
|
||||
year = {2018},
|
||||
url = {http://dl.acm.org/citation.cfm?id=3291706},
|
||||
timestamp = {Mon, 12 Nov 2018 09:20:44 +0100},
|
||||
biburl = {https://dblp.org/rec/conf/sc/AndreadisVMI18.bib},
|
||||
bibsource = {dblp computer science bibliography, https://dblp.org}
|
||||
author = {Georgios Andreadis and Laurens Versluis and Fabian Mastenbroek and
|
||||
Alexandru Iosup},
|
||||
title = {A reference architecture for datacenter scheduling: design,
|
||||
validation, and experiments},
|
||||
booktitle = {Proceedings of the International Conference for High
|
||||
Performance Computing, Networking, Storage, and Analysis, {SC}
|
||||
2018, Dallas, TX, USA, November 11-16, 2018},
|
||||
pages = {37:1--37:15},
|
||||
publisher = {{IEEE} / {ACM}},
|
||||
year = {2018},
|
||||
url = {http://dl.acm.org/citation.cfm?id=3291706},
|
||||
timestamp = {Mon, 12 Nov 2018 09:20:44 +0100},
|
||||
biburl = {https://dblp.org/rec/conf/sc/AndreadisVMI18.bib},
|
||||
bibsource = {dblp computer science bibliography, https://dblp.org},
|
||||
}
|
||||
|
||||
@misc{techblog:latex,
|
||||
author = {{Overleaf Team}},
|
||||
title = {Learn {LaTeX} in 30 minutes},
|
||||
howpublished = {Tech blog},
|
||||
url = {https://www.overleaf.com/learn/latex/Learn_LaTeX_in_30_minutes},
|
||||
year = {2019},
|
||||
note = {[Online; accessed Mar 10, 2020] \url{https://www.overleaf.com/learn/latex/Learn_LaTeX_in_30_minutes}}
|
||||
}
|
||||
|
||||
@misc{techrep:latex,
|
||||
author = {Tobias Oetiker and
|
||||
Hubert Partl and
|
||||
Irene Hyna and
|
||||
Elisabeth Schlegl},
|
||||
title = {The Not So Short Introduction to {LaTeX} 2$\epsilon$, or: {LaTeX} in 139 minutes},
|
||||
howpublished = {Tech report, Version 6.3, March 26},
|
||||
url = {https://tobi.oetiker.ch/lshort/lshort.pdf},
|
||||
year = {2018},
|
||||
note = {[Online; accessed Mar 10, 2020] \url{https://tobi.oetiker.ch/lshort/lshort.pdf}}
|
||||
}
|
||||
|
||||
|
||||
@book{research:book/SharpPW02,
|
||||
author = {John A. Sharp and
|
||||
John Peters and
|
||||
Keith Howard},
|
||||
title = {The Management of a Student Research Project},
|
||||
location = {UK},
|
||||
publisher = {Gower Publishing Limited},
|
||||
edition = {3rd Ed.},
|
||||
year = {2002}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue