12 research outputs found
Drive-by Key-Extraction Cache Attacks from Portable Code
We show how malicious web content can extract cryptographic secret keys from the user\u27s computer.
The attack uses portable scripting languages supported by modern browsers to induce contention for CPU cache resources, and thereby gleans information about the memory accesses of other programs running on the user\u27s computer. We show how this side-channel attack can be realized in both WebAssembly and PNaCl; how to attain very fine-grained measurements; and how to use these to extract ElGamal, ECDH and RSA decryption keys from various cryptographic libraries.
The attack does not rely on bugs in the browser\u27s nominal sandboxing mechanisms, or on fooling users. It applies even to locked-down platforms with strong confinement mechanisms and browser-only functionality, such as Chromebook devices.
Moreover, on browser-based platforms the attacked software too may be written in portable JavaScript; and we show that in this case even implementations of supposedly-secure constant-time algorithms, such as Curve25519\u27s, are vulnerable to our attack
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users
PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses
Rowhammer is a hardware vulnerability in DRAM memory, where repeated access
to memory can induce bit flips in neighboring memory locations. Being a
hardware vulnerability, rowhammer bypasses all of the system memory protection,
allowing adversaries to compromise the integrity and confidentiality of data.
Rowhammer attacks have shown to enable privilege escalation, sandbox escape,
and cryptographic key disclosures. Recently, several proposals suggest
exploiting the spatial proximity between the accessed memory location and the
location of the bit flip for a defense against rowhammer. These all aim to deny
the attacker's permission to access memory locations near sensitive data. In
this paper, we question the core assumption underlying these defenses. We
present PThammer, a confused-deputy attack that causes accesses to memory
locations that the attacker is not allowed to access. Specifically, PThammer
exploits the address translation process of modern processors, inducing the
processor to generate frequent accesses to protected memory locations. We
implement PThammer, demonstrating that it is a viable attack, resulting in a
system compromise (e.g., kernel privilege escalation). We further evaluate the
effectiveness of proposed software-only defenses showing that PThammer can
overcome those.Comment: Preprint of the work accepted at the International Symposium on
Microarchitecture (MICRO) 2020. arXiv admin note: text overlap with
arXiv:1912.0307