7 research outputs found
ret2spec: Speculative Execution Using Return Stack Buffers
Speculative execution is an optimization technique that has been part of CPUs
for over a decade. It predicts the outcome and target of branch instructions to
avoid stalling the execution pipeline. However, until recently, the security
implications of speculative code execution have not been studied.
In this paper, we investigate a special type of branch predictor that is
responsible for predicting return addresses. To the best of our knowledge, we
are the first to study return address predictors and their consequences for the
security of modern software. In our work, we show how return stack buffers
(RSBs), the core unit of return address predictors, can be used to trigger
misspeculations. Based on this knowledge, we propose two new attack variants
using RSBs that give attackers similar capabilities as the documented Spectre
attacks. We show how local attackers can gain arbitrary speculative code
execution across processes, e.g., to leak passwords another user enters on a
shared system. Our evaluation showed that the recent Spectre countermeasures
deployed in operating systems can also cover such RSB-based cross-process
attacks. Yet we then demonstrate that attackers can trigger misspeculation in
JIT environments in order to leak arbitrary memory content of browser
processes. Reading outside the sandboxed memory region with JIT-compiled code
is still possible with 80\% accuracy on average.Comment: Updating to the cam-ready version and adding reference to the
original pape
A Systematic Evaluation of Transient Execution Attacks and Defenses
Research on transient execution attacks including Spectre and Meltdown showed
that exception or branch misprediction events might leave secret-dependent
traces in the CPU's microarchitectural state. This observation led to a
proliferation of new Spectre and Meltdown attack variants and even more ad-hoc
defenses (e.g., microcode and software patches). Both the industry and academia
are now focusing on finding effective defenses for known issues. However, we
only have limited insight on residual attack surface and the completeness of
the proposed defenses.
In this paper, we present a systematization of transient execution attacks.
Our systematization uncovers 6 (new) transient execution attacks that have been
overlooked and not been investigated so far: 2 new exploitable Meltdown
effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds
Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We
evaluate the attacks in our classification tree through proof-of-concept
implementations on 3 major CPU vendors (Intel, AMD, ARM). Our systematization
yields a more complete picture of the attack surface and allows for a more
systematic evaluation of defenses. Through this systematic evaluation, we
discover that most defenses, including deployed ones, cannot fully mitigate all
attack variants
Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries
Complexities that arise from implementation of object-oriented concepts in
C++ such as virtual dispatch and dynamic type casting have attracted the
attention of attackers and defenders alike.
Binary-level defenses are dependent on full and precise recovery of class
inheritance tree of a given program.
While current solutions focus on recovering single and multiple inheritances
from the binary, they are oblivious to virtual inheritance. Conventional wisdom
among binary-level defenses is that virtual inheritance is uncommon and/or
support for single and multiple inheritances provides implicit support for
virtual inheritance. In this paper, we show neither to be true.
Specifically, (1) we present an efficient technique to detect virtual
inheritance in C++ binaries and show through a study that virtual inheritance
can be found in non-negligible number (more than 10\% on Linux and 12.5\% on
Windows) of real-world C++ programs including Mysql and libstdc++. (2) we show
that failure to handle virtual inheritance introduces both false positives and
false negatives in the hierarchy tree. These false positves and negatives
either introduce attack surface when the hierarchy recovered is used to enforce
CFI policies, or make the hierarchy difficult to understand when it is needed
for program understanding (e.g., during decompilation). (3) We present a
solution to recover virtual inheritance from COTS binaries. We recover a
maximum of 95\% and 95.5\% (GCC -O0) and a minimum of 77.5\% and 73.8\% (Clang
-O2) of virtual and intermediate bases respectively in the virtual inheritance
tree.Comment: Accepted at CCS20. This is a technical report versio
On the detection of Kernel-level rootkits using hardware performance counters
Recent work has investigated the use of hardware perfor- mance counters (HPCs) for the detection of malware run- ning on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to dis- tinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the ap- plicability of using machine learning and HPCs for a specific subset of malware: kernel rootkits. We design five synthetic rootkits, each providing a single piece of rootkit functionality, and execute each while collect- ing HPC traces of its impact on a specific benchmark ap- plication. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that rootkits employing direct kernel object manipula- tion (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new rootkits not previously seen by the detector.This paper was made possible by NPRP grants 4-1593-1-260 and 8-1474-2-626 from the Qatar National Research Fund (a member of Qatar Foundation). The statements made herein are solely the responsibility of the authors. The authors would also like to thank Aisha Hasan as well as the reviewers for their helpful comments on this work.Scopu