Store-to-Leak Forwarding: There and Back Again

Presented at Black Hat Asia 2020 Virtual, Oct. 2, 2020, 12:30 p.m. (40 minutes).

In the past couple of years, we have seen many different attacks that allowed an attacker to leak data. One of these attacks is Meltdown, allowing an attacker to leak kernel memory. After it was fixed, everyone thought that the problem was solved. Unfortunately, this is not the case as there are still effects that are closely related to Meltdown.<br /> <br /> In this talk, we will show how we can use one such effect to break KASLR on all Intel CPUs since 2004 with perfect accuracy and in less than a second. The new method even outperforms the previous state-of-the-art KASLR break presented by Jang et al. at Black Hat USA 2016. We will also show that we can use this effect from JavaScript and SGX enclaves. We will then enhance our attack primitive with side effects on the TLB to monitor user behavior. We will demonstrate how we can use the first primitive to detect and classify kernel modules. We will then monitor one such module with the other primitive, inferring user behavior, such as the user's proximity to the computer, from it. With our final attack primitive, we will show how we can use new, simpler Spectre gadgets to leak kernel memory. <br /> <br /> We will also highlight the differences between our approach, Store-to-Leak, and Fallout. While they may appear similar from a high-level perspective, the differences become apparent when we consider countermeasures. All mitigations for microarchitectural data-sampling attacks (MDS), including Fallout, do not mitigate Store-to-Leak. Therefore, all CPUs dating back to 2004 remain vulnerable to Store-to-Leak but not Fallout. This shows that Store-to-Leak is a powerful side-channel attack which is not easily fixed.<br /> <br /> Finally, we will outline a countermeasure that prevents all known microarchitectural KASLR breaks, including Store-to-leak, Fallout, and DrK.

Presenters:

  • Claudio Canella - PhD Student, Graz University of Technology
    Claudio Canella is an InfoSec PhD student at Graz University of Technology. His research focuses on microarchitectural side-channel attacks and system security. He has presented his research at conferences like Black Hat Asia 2019, 35th Chaos Communication Congress, and Usenix Security 2019.
  • Lukas Giner - PhD Student, Graz University of Technology
    <span>Lukas Giner is an InfoSec PhD student at Graz University of Technology. His research centers around attacks with- and defenses against microarchitectural side-channels.</span>
  • Michael Schwarz - InfoSec Researcher, CISPA Helmholtz Center for Information Security
    <span>Michael Schwarz is a tenure-track faculty at the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany, with a focus on microarchitectural side-channel attacks and system security. He obtained his PhD with the title "Software-based Side-Channel Attacks and Defenses in Restricted Environments" in 2019 from Graz University of Technology (advised by Daniel Gruss). He holds two master's degrees, one in computer science and one in software engineering with a strong focus on security. He is a regular speaker at both academic and hacker conferences (Black Hat, CCC, Blue Hat, etc.). He was part of one of the research teams that found the Meltdown, Spectre, Fallout, and LVI vulnerabilities, as well as the ZombieLoad vulnerability. He was also part of the KAISER patch, the basis for Meltdown countermeasures now deployed in every modern operating system under names such as KPTI or KVA Shadow.</span>

Links:

Similar Presentations: