73 research outputs found
ret2spec: Speculative Execution Using Return Stack Buffers
Speculative execution is an optimization technique that has been part of CPUs
for over a decade. It predicts the outcome and target of branch instructions to
avoid stalling the execution pipeline. However, until recently, the security
implications of speculative code execution have not been studied.
In this paper, we investigate a special type of branch predictor that is
responsible for predicting return addresses. To the best of our knowledge, we
are the first to study return address predictors and their consequences for the
security of modern software. In our work, we show how return stack buffers
(RSBs), the core unit of return address predictors, can be used to trigger
misspeculations. Based on this knowledge, we propose two new attack variants
using RSBs that give attackers similar capabilities as the documented Spectre
attacks. We show how local attackers can gain arbitrary speculative code
execution across processes, e.g., to leak passwords another user enters on a
shared system. Our evaluation showed that the recent Spectre countermeasures
deployed in operating systems can also cover such RSB-based cross-process
attacks. Yet we then demonstrate that attackers can trigger misspeculation in
JIT environments in order to leak arbitrary memory content of browser
processes. Reading outside the sandboxed memory region with JIT-compiled code
is still possible with 80\% accuracy on average.Comment: Updating to the cam-ready version and adding reference to the
original pape
What Scanners do at L7? Exploring Horizontal Honeypots for Security Monitoring
Honeypots are a common means to collect data useful for threat intelligence. Most efforts in this area rely on vertical systems and target a specific scenario or service to analyse data collected in such deployment. We here extend the analysis of the visibility of honeypots, by revisiting the problem from a horizontal perspective. We deploy a flexible honeypot system hosting multiple services, relying on the T-Pot project. We collect data for 5 months, recording millions of application requests from tens of thousands of sources. We compare if and how the attackers interact with multiple services. We observe attackers that always focus on one or few services, and others that target tens of services simultaneously. We dig further into the dataset, providing an initial horizontal analysis of brute-force attacks against multiple services. We show, for example, clear groups of attackers that rely on different password lists on different services. All in all, this work is our initial effort to build a horizontal system that can provide insights on attacks
SafeBet: Secure, Simple, and Fast Speculative Execution
Spectre attacks exploit microprocessor speculative execution to read and
transmit forbidden data outside the attacker's trust domain and sandbox. Recent
hardware schemes allow potentially-unsafe speculative accesses but prevent the
secret's transmission by delaying most access-dependent instructions even in
the predominantly-common, no-attack case, which incurs performance loss and
hardware complexity. Instead, we propose SafeBet which allows only, and does
not delay most, safe accesses, achieving both security and high performance.
SafeBet is based on the key observation that speculatively accessing a
destination location is safe if the location's access by the same static trust
domain has been committed previously; and potentially unsafe, otherwise. We
extend this observation to handle inter trust-domain code and data
interactions. SafeBet employs the Speculative Memory Access Control Table
(SMACT) to track non-speculative trust domain code region-destination pairs.
Disallowed accesses wait until reaching commit to trigger well-known replay,
with virtually no change to the pipeline. Software simulations using SpecCPU
benchmarks show that SafeBet uses an 8.3-KB SMACT per core to perform within 6%
on average (63% at worst) of the unsafe baseline behind which NDA-restrictive,
a previous scheme of security and hardware complexity comparable to SafeBet's,
lags by 83% on average
JShelter: Give Me My Browser Back
The Web is used daily by billions. Even so, users are not protected from many
threats by default. This position paper builds on previous web privacy and
security research and introduces JShelter, a webextension that fights to return
the browser to users. Moreover, we introduce a library helping with common
webextension development tasks and fixing loopholes misused by previous
research. JShelter focuses on fingerprinting prevention, limitations of rich
web APIs, prevention of attacks connected to timing, and learning information
about the computer, the browser, the user, and surrounding physical environment
and location. We discovered a loophole in the sensor timestamps that lets any
page observe the device boot time if sensor APIs are enabled in Chromium-based
browsers. JShelter provides a fingerprinting report and other feedback that can
be used by future security research and data protection authorities. Thousands
of users around the world use the webextension every day
Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review
File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability. Autho
- …