Nasty Side-Channel Attack Vulnerability (Again) In Windows & Linux
A new variant of side-channel attack is recently discovered being actively exploited in the wild against Windows and Linux targets. Publicly revealed in a paper titled ‘Page Cache Attacks’ published by a group of researchers headed by Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz and other members from Graz University of Technology and Boston University. Side-channel attacks are alternative exploitation scenarios of a computer through cache, acoustic, electromagnetic, sound, power or timing information. Hardware agnostic attacks are very difficult to track down; it takes a lot of study of the behavior of the computer equipment to realize something is wrong with them.
“Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4 kB and a temporal resolution of 2 µs on Linux (restricted to 6.7 measurements per second) and 466 ns on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state of-the-art cache attacks,” explained the researchers.
The Page Cache is a special partition in a computer memory which is currently being used by a running program. This portion is directly supervised by the operating system, hence easily programmable in contrast to the cache residing in the computer’s hard drive or processor die.
“We present a set of local attacks that work entirely without any timers, utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on Windows) to elicit page cache information. We also show that page cache metadata can leak to a remote attacker over a network channel, producing a stealthy covert channel between a malicious local sender process and an external attacker,” added the researchers.
Both Microsoft and Linux teams were informed about the issue presented in the paper, and all of their disclosures have known mitigation procedures as implemented by both Microsoft and Linux teams. This usually comes as an update to both Linux and Windows core system files and libraries to mitigate the concerns raised by the paper’s authors.
“We present several ways to mitigate our attack in software, and observe that certain page replacement algorithms reduce the applicability of our attack while simultaneously improving the system performance. In our responsible disclosure, both Microsoft and the Linux security team acknowledged the problem and informed us that they will follow our recommendations with security patches to mitigate our attack,” said the researchers.
The advantage of the discovered side-channel attack is the amount of data that can be recovered, with a spatial resolution of 4KB, information leakage will be a desirable goal for any attacker who will try to pull such type of attack. With 4KB information per two microseconds, that is much more information extraction than a keystroke logger attack. It basically means the side-channel attack revealed by the group of researchers will be able to extract information from a computer as fast as 6 keystrokes per second, as fast as the world’s fastest typist.
The real danger with this is such an attack don’t need to occur on site, it can be pulled-off remotely through remote exploitation technique. A simple malware that can run a code in ‘regular user’ privilege can retrieve the data captured by the side-channel attack. All Linux and Windows users are expected to install the system updates as soon as it becomes available for download.