A group of researchers from the Graz University of Technology (Austria), formerly known for developing MDS, NetSpectre, Throwhammer and ZombieLoad attacks, they made known Few days ago a new attack method (CVE-2021-3714) which through channels side to the memory page deduplication mechanism can determine the presence of certain data in memory, organize a byte leak of memory content or determine the memory layout to bypass protection based on address randomization (ASLR).
The new method differs from variants of attacks to the deduplication mechanism previously demonstrated when carrying out an attack from an external host using as criteria to change the response time to requests sent by the attacker through the HTTP / 1 and HTTP / 2 protocols. The attack was demonstrated for Linux and Windows servers.
Memory deduplication attacks exploit the difference in the processing time of a write operation as a channel for information leakage in situations where data changes lead to the cloning of a deduplicated memory page using the mechanism of copy on write (COW).
In the process, the kernel determines the same memory pages of different processes and combines them, mapping identical memory pages into an area of physical memory to store only one copy. When one of the processes tries to change the data associated with the deduplicated pages, an exception is thrown (page fault) and using the copy-on-write mechanism, a separate copy of the memory page is automatically created, which is allocated to the process that is spending the most time copying, which may be a sign of that the data change overlaps with another process.
Researchers have shown that the resulting delays of the COW mechanism can be captured not only locally, but also by analyzing the change in delivery time of responses over the network.
With this information, the researchers have proposed several methods to determine the contents of memory from a remote host by analyzing the execution time of requests through the HTTP / 1 and HTTP / 2 protocols. To save the selected templates, typical web applications are used that store the information received in the requests in memory.
The general principle of the attack boils down to filling a memory page on the server with data that potentially duplicates the content of a memory page already on the server. Later, the attacker waits for the time it takes for the kernel to deduplicate and merge the memory page, then modify the controlled duplicate data and estimates the response time to determine if the success was successful.
During the experiments carried out, the maximum information leakage rate was 34,41 bytes per hour for an attack on the WAN and 302,16 bytes per hour for an attack on a local network, which is faster than others. side channel data extraction methods. (For example, in the NetSpectre attack, the data transfer rate is 7,5 bytes per hour).
Three variants of attack work are proposed:
- The first option allows you to define data in the memory of the web server where Memcached is used. The attack boils down to loading certain data sets into Memcached storage, deleting a deduplicated block, rewriting the same element, and creating a condition for a COW copy to occur when the contents of the block change.
- The second option allowed know the content of the registers in the DBMS MariaDB, when using InnoDB storage, recreating the content byte by byte. The attack is carried out by sending specially modified requests, generating one-byte mismatches in memory pages and analyzing the response time to determine that the assumption about the content of the byte was correct. The rate of such a leak is low and amounts to 1,5 bytes per hour when attacking from a local network.
- The third option allowed completely bypass the KASLR protection mechanism in 4 minutes and get information about the offset in the memory of the kernel image of the virtual machine, in a situation where the offset address is in a memory page, other data in which it does not change.
Finally, if you are interested in knowing more about it, you can consult the details in the following link.