Europe Research Interest Group Meeting [May 2022]
Remote Memory-Deduplication Attacks – Remotely Leaking Secrets via Same-Domain Deduplication
by Dan Gruss and Martin Schwarzl
Cloud providers use memory deduplication to reduce the memory utilization of their systems. Memory deduplication merges memory pages with identical content and maps them under a copy-on-write semantic. Previous work showed that memory deduplication can be exploited in a local scenario to perform ASLR breaks, Rowhammer attacks and fingerprint applications. Countermeasures have been proposed to disable memory deduplication across security domains. Memory deduplication was re-enabled within a security domain on Windows as well as on Linux server systems.
In this talk, we present remote memory-deduplication attacks. We show that memory-deduplication attacks are not only limited to local code execution by mounting powerful attacks over the internet. We demonstrate that web applications that use in-memory caching like Memcached can be remotely exploited without any user interaction. An attacker can use this remote timing side channel to leak sensitive information. Using amplification, our side channel leaks up to 34.41 B/h across the internet (14 hops). We show how fingerprinting can be performed on operating systems and shared libraries. Our remote KASLR break can break KASLR on a remote server in a few minutes via both HTTP/1.1 and HTTP/2. By using a leakage primitive to change the alignment of attacker-controlled data, we enable byte-by-byte data leakage of MySQL database records.
We evaluate state-of-the-art mitigations and argue that some are insufficient to mitigate remote memory-deduplication attacks. We outline challenges for future research on remote memory-deduplication attacks. Full technical details can be found in our NDSS 2022 paper “Remote Memory-Deduplication Attacks“.
Dan Gruss and Martin Schwarzl are researchers from the Institute of Applied Information Processing and Communications (IAIK) at the Graz University of Technology, Austria. Their research focuses on software-based attacks and defenses on microarchitectural layers in hardware and software.