mira/thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
thesis/proposal/main.bib
twoneis d080a2352d proposal draft 1
2025-03-07 01:12:28 +01:00

103 lines
5.9 KiB
BibTeX
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

@inproceedings{tugraz:tlbsidechannel,
title = "When Good Kernel Defenses Go Bad: Reliable and Stable Kernel
Exploits via Defense-Amplified TLB Side-Channel Leaks",
abstract = "Over the past decade, the Linux kernel has seen a significant
number of memory-safety vulnerabilities. However, exploiting
these vulnerabilities becomes substantially harder as defenses
increase. A fundamental defense of the Linux kernel is the
randomization of memory locations for security-critical objects,
which greatly limits or prevents exploitation.In this paper, we
show that we can exploit side-channel leakage in defenses to leak
the locations of security-critical kernel objects. These location
disclosure attacks enable successful exploitations on the latest
Linux kernel, facilitating reliable and stable system compromise
both with re-enabled and new exploit techniques. To identify
side-channel leakages of defenses, we systematically analyze 127
defenses. Based on this analysis, we show that enabling any of 3
defenses enforcing strict memory permissions or virtualizing
the kernel heap or kernel stack allows us to obtain
fine-grained TLB contention patterns via an Evict+Reload TLB
side-channel attack. We combine these patterns with kernel
allocator massaging to present location disclosure attacks,
leaking the locations of kernel objects, i.e., heap objects, page
tables, and stacks. To demonstrate the practicality of these
attacks, we evaluate them on recent Intel CPUs and multiple
kernel versions, with a runtime of 0.3 s to 17.8 s and almost no
false positives. Since these attacks work due to side-channel
leakage in defenses, we argue that the virtual stack defense
makes the system less secure.",
author = "Lukas Maar and Lukas Giner and Daniel Gruss and Stefan Mangard",
year = "2025",
month = aug,
day = "13",
language = "English",
series = "Proceedings of the 34rd USENIX Security Symposium",
publisher = "USENIX Association",
booktitle = "Proceedings of the 34rd USENIX Security Symposium",
address = "United States",
note = "34th USENIX Security Symposium : USENIX Security 2025, USENIX'25 ;
Conference date: 13-08-2025 Through 15-08-2025",
url = "https://www.usenix.org/conference/usenixsecurity25",
}
@inproceedings{tugraz:prefetch,
author = {Gruss, Daniel and Maurice, Clementine and Fogh, Anders and Lipp,
Moritz and Mangard, Stefan},
title = {Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR},
year = {2016},
isbn = {9781450341394},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/2976749.2978356},
doi = {10.1145/2976749.2978356},
abstract = {Modern operating systems use hardware support to protect against
control-flow hijacking attacks such as code-injection attacks.
Typically, write access to executable pages is prevented and
kernel mode execution is restricted to kernel code pages only.
However, current CPUs provide no protection against code-reuse
attacks like ROP. ASLR is used to prevent these attacks by making
all addresses unpredictable for an attacker. Hence, the kernel
security relies fundamentally on preventing access to address
information. We introduce Prefetch Side-Channel Attacks, a new
class of generic attacks exploiting major weaknesses in prefetch
instructions. This allows unprivileged attackers to obtain
address information and thus compromise the entire system by
defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch
inaccessible privileged memory into various caches on Intel x86.
It also leaks the translation-level for virtual addresses on both
Intel x86 and ARMv8-A. We build three attacks exploiting these
properties. Our first attack retrieves an exact image of the full
paging hierarchy of a process, defeating both user space and
kernel space ASLR. Our second attack resolves virtual to physical
addresses to bypass SMAP on 64-bit Linux systems, enabling
ret2dir attacks. We demonstrate this from unprivileged user
programs on Linux and inside Amazon EC2 virtual machines. Finally
, we demonstrate how to defeat kernel ASLR on Windows 10,
enabling ROP attacks on kernel and driver binary code. We propose
a new form of strong kernel isolation to protect commodity
systems incuring an overhead of only 0.06-5.09\%.},
booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and
Communications Security},
pages = {368379},
numpages = {12},
keywords = {timing attacks, kernel vulnerabilities, ASLR},
location = {Vienna, Austria},
series = {CCS '16},
}
@inproceedings{DBLP:conf/sc/AndreadisVMI18,
author = {Georgios Andreadis and Laurens Versluis and Fabian Mastenbroek and
Alexandru Iosup},
title = {A reference architecture for datacenter scheduling: design,
validation, and experiments},
booktitle = {Proceedings of the International Conference for High
Performance Computing, Networking, Storage, and Analysis, {SC}
2018, Dallas, TX, USA, November 11-16, 2018},
pages = {37:1--37:15},
publisher = {{IEEE} / {ACM}},
year = {2018},
url = {http://dl.acm.org/citation.cfm?id=3291706},
timestamp = {Mon, 12 Nov 2018 09:20:44 +0100},
biburl = {https://dblp.org/rec/conf/sc/AndreadisVMI18.bib},
bibsource = {dblp computer science bibliography, https://dblp.org},
}
Reference in a new issue View git blame Copy permalink