back

Memory Deduplication: The Curse that Keeps on Giving

A tale of 3 different memory deduplication based exploitation techniques

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:59:10
Language
English
Abstract
We are 4 security researchers who have collectively worked on 3 different attack techniques that all (ab)use memory deduplication in one way or another. There is a cross-vm data leak attack, a cross-vm data write attack, and an in-sandbox (MS Edge) Javascript data leak + full memory read/write attack based in MS Edge.

In this talk we detail how memory deduplication works and the many different ways it is exploited in our attacks.

Memory deduplication is a widely applied technique to reduce memory consumption in servers, VM hosts, desktop systems and even mobile devices. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a unshared page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system.

In this talk, we show that the security implications of using memory deduplication are much more severe than initially assumed. We show that by maliciously programming memory deduplication, an attacker can build primitives to read arbitrary data from memory and even write to memory in a limited but powerful way. We exemplify these primitives using three attacks that we have recently developed.

The first attack, CAIN, uses memory deduplication to brute-force ASLR’s entropy bits from a co-hosted victim VM. The second attack, Dedup Est Machina, extends CAIN in order to leak arbitrary data such as ASLR heap/code pointers and password hashes in a victim’s browser from JavaScript. Using the leaked pointers, Dedup Est Machina uses a Rowhammer exploit to own Microsoft Edge without relying on a single software vulnerability. The third attack, Flip Feng Shui, uses memory deduplication to control the placement of a co-hosted victim VM’s sensitive information on physical memory for building a sophisticated Rowhammer attack on RSA public keys. Flip Feng Shui makes cross-VM Rowhammer attacks precise, fast and reliable. As an example, Flip Feng Shui compromises the OpenSSH server of a victim VM in less than 10 minutes in 84% of the cases.

We conclude memory deduplication is fatal for security in more ways than one.

Speaker BIOs:


Kaveh
Kaveh Razavi is a security researcher at the Vrije Universiteit Amsterdam in the Netherlands. He is currently mostly interested in reliable exploitation and mitigation of hardware vulnerabilities and side-channel attacks on OS/hardware interfaces. He has previously been part of a CERT team specializing on operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from Sharif University of Technology, Tehran, an MSc from ETH Zurich and a PhD from Vrije Universiteit Amsterdam.

Ben
Ben Gras has been part of the systems security research group at the Vrije Universiteit Amsterdam since 2015. Previously, he was a scientific programmer working on the Minix operating system under Andy Tanenbaum for 10 years.

Erik
Erik Bosman is a PhD student in the Systems and Network Security group at the Vrije Universiteit Amsterdam in the Netherlands. He is currently working on novel side-channel attacks for leaking sensitive information from the OS and applications. He has previously developed Signal Return-Oriented Programming, a highly portable exploitation technique that abuses signal frames for creating a weird machine that the attackers can program. His minemu system is the world’s fastest dynamic taint-tracker that can be used to protect binaries against memory corruption attacks.

Antonio
Antonio Barresi is Co-founder and CEO of xorlab, a Swiss IT security company. Before founding xorlab, he worked at the Laboratory for Software Technology (LST) at ETH Zurich on software security related topics. His research interests are software and systems security. Before joining LST, he worked in industry as a Software Engineer, Security Consultant, and IT Risk Officer. He holds a BSc and MSc degree in Computer Science from ETH Zurich.

Talk ID
8022
Event:
33c3
Day
3
Room
Saal 6
Start
12:45 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Ben Gras
Kaveh Razavi
Antonio Barresi
brainsmoke
Talk Slug & media link
33c3-8022-memory_deduplication_the_curse_that_keeps_on_giving
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 2 years, 8 months ago