Presented at
Black Hat Europe 2015,
Unknown date/time
(Unknown duration)
To reduce the memory footprint and to increase the cost-effectiveness of virtual machines (VMs) running on the same host, cloud providers use memory deduplication. Memory deduplication searches for memory pages with the same contents and merges them into one, read-only memory page. Writing to these pages is expensive due to page faults caused by the memory protection, and this cost can be used by an attacker as a side-channel to detect whether a page has been shared. Leveraging this memory side-channel, we craft an attack that leaks the randomized base addresses of libraries and executables mapped in processes of neighboring VMs, and hence, defeats ASLR. Our proof-of-concept exploit, CAIN (Cross-VM ASL INtrospection), defeats ASLR of a 64-bit Windows Server 2012 victim VM running on a default KVM configuration in less than five hours.In this session, we will discuss the underlying concepts of the attack and we will present the CAIN PoC exploit.
Presenters:
-
Thomas Gross
- ETH Zurich
Thomas Gross is faculty member and professor at the computer science department of ETH Zurich. He has worked on the software and architecture of a variety of experimental computer systems. As a graduate student at Stanford, he participated in the (Stanford) MIPS project. At Carnegie Mellon, he was part of the Warp, iWarp and Fx projects. His current research focuses on compilers and network-aware applications.
-
Mathias Payer
- Purdue University
Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university. His interests are related to system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. His research focuses on protecting applications even in the presence of vulnerabilities, with a focus on memory corruption. Before joining Purdue in 2014, he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012. The topic of his thesis is related to low-level binary translation and security. He analyzed different exploit techniques and wondered how we can enforce integrity for a subset of data (e.g., code pointers). All prototype implementations are open-source. In 2014, he started the b01lers Purdue CTF team.
-
Kaveh Razavi
- VU University Amsterdam
Kaveh Razavi is a systems researcher at the VU University Amsterdam. His research interest is on building reliable and secure computing systems. He has previously been part of a CERT team specializing on operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from Sharif University of Technology, Tehran, an MSc from ETH Zurich, and will defend his PhD degree at the VU University Amsterdam a week before Black Hat!
-
Antonio Barresi
- xorlab
Antonio Barresi is Co-founder and CEO of xorlab, a Swiss IT security company. Before founding xorlab, he worked at the Laboratory for Software Technology (LST) at ETH Zurich on software security related topics. His research interests are software and systems security. Before joining LST, he worked in industry as a Software Engineer, Security Consultant, and IT Risk Officer. He holds a BSc and MSc degree in Computer Science from ETH Zurich.
Links:
Similar Presentations: