Projects per year
Abstract
In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40's on the newest Meltdown- and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs.
Original language | English |
---|---|
Title of host publication | Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 |
Publisher | ACM/IEEE |
Pages | 481-493 |
Number of pages | 13 |
ISBN (Electronic) | 9781450367509 |
DOIs | |
Publication status | Published - 5 Oct 2020 |
Event | 15th ACM ASIA Conference on Computer and Communications Security: AsiaCCS 2020 - Virtuell Duration: 5 Oct 2020 → 9 Oct 2020 |
Publication series
Name | Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 |
---|
Conference
Conference | 15th ACM ASIA Conference on Computer and Communications Security |
---|---|
Abbreviated title | AsiaCCS 2020: |
City | Virtuell |
Period | 5/10/20 → 9/10/20 |
Keywords
- meltdown
- side-channel attack
- transient execution
- kaslr
- countermeasure
- reverse engineering
- KASLR
ASJC Scopus subject areas
- Software
- Computer Networks and Communications
Projects
- 3 Finished
-
Leakage-Free - Hardware-Software Information Flow Analysis for Leakage-Free Code Generation
1/10/18 → 30/09/20
Project: Research project
-
Espresso - Scalable hardware-secured authentication and personalization of intelligent sensor nodes
1/05/18 → 31/10/20
Project: Research project
-
Activities
- 2 Talk at conference or symposium
-
Store-to-Leak Forwarding: There and Back Again
Claudio Alberto Canella (Speaker), Lukas Giner (Speaker) & Michael Schwarz (Speaker)
2 Oct 2020Activity: Talk or presentation › Talk at conference or symposium › Science to science
-
KASLR: Break It, Fix It, Repeat
Claudio Alberto Canella (Speaker)
7 Oct 2020Activity: Talk or presentation › Talk at conference or symposium › Science to science