Abstract
We present a new generic cache template attack technique, LBTA, layered binary templating attacks. LBTA uses multiple coarser-grained side channels to speed up cache-line granularity templating, ranging from 64 B to 2 MB in practice and in theory beyond. We discover first-come-first-serve data placement and data deduplication during compilation and linking as novel security issues that introduce side-channel-friendly binary layouts. We exploit this in inter-keystroke timing attacks and, depending on the target, even full keylogging attacks (Demo: The user first announces via Signal messenger to send money to a friend, then switches to Chrome to visit a banking website and enters the credentials there. All keystrokes are correctly leaked. https://streamable.com/dgnuwk), e.g., on Chrome, Signal, Threema, Discord, and the passky password manager, indicating that all Chromium-based apps are affected.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The Chrome binary had 100 MB in 2017 and 180 MB in 2022, an increase of 80%.
- 2.
- 3.
- 4.
References
Antti Korpi: xkbcat (2021). https://github.com/anko/xkbcat
Bacs, A., Musaev, S., Razavi, K., Giuffrida, C., Bos, H.: DUPEFS: leaking data over the network with filesystem deduplication side channels. In: FAST (2022)
Baert, M.: wayland-keylogger (2022). https://github.com/Aishou/wayland-keylogger
Bernstein, D.J.: Cache-Timing Attacks on AES (2005). http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
Borrello, P., D’Elia, D.C., Querzoni, L., Giuffrida, C.: Constantine: automatic side-channel resistance using efficient control and data flow linearization. In: CCS (2021)
Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: WOOT (2017)
Brennan, T., Rosner, N., Bultan, T.: JIT Leaks: inducing timing side channels through just-in-time compilation. In: S &P (2020)
Brotzman, R., Liu, S., Zhang, D., Tan, G., Kandemir, M.: CaSym: cache aware symbolic execution for side channel detection and mitigation. In: S &P (2019)
Brumley, B., Hakala, R.: Cache-Timing template attacks. In: AsiaCrypt (2009)
Carre, S., Dyseryn, V., Facon, A., Guilley, S., Perianin, T.: End-to-end automated cache-timing attack driven by machine learning. J. Cryptol. (2019)
Cauligi, S., et al.: FaCT: a flexible, constant-time programming language. In: SecDev (2017)
CEF: Chrome Embedded Framework (2022). https://github.com/chromiumembedded/cef
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: CHES (2002)
Chromium: Speeding up Chrome’s release cycle (2022). https://blog.chromium.org/2021/03/speeding-up-release-cycle.html
Chung, S.C., Lee, J.W., Chang, H.C., Lee, C.Y.: A high-performance elliptic curve cryptographic processor over GF(p) with SPA resistance. In: International Symposium on Circuits and Systems (ISCAS) (2012)
Coppens, B., Verbauwhede, I., De Bosschere, K., De Sutter, B.: Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: S &P (2009)
Costi, A., Johannesmeyer, B., Bosman, E., Giuffrida, C., Bos, H.: On the effectiveness of same-domain memory deduplication. In: European Workshop on Systems Security, pp. 29–35 (2022)
Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: NDSS (2015)
Dall, F., et al.: Cachequote: efficiently recovering long-term secrets of SGX EPID via cache attacks. In: CHES (2018)
Diao, W., Liu, X., Li, Z., Zhang, K.: No pardon for the interruption: new inference attacks on android through interrupt timing analysis. In: S &P (2016)
Domas, C.: M/o/Vfuscator (2015). https://github.com/xoreaxeaxeax/movfuscator
Doychev, G., Feld, D., Kopf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. In: USENIX Security Symposium (2013)
Electron: Electron Apps (2022). https://www.electronjs.org/apps
Electron JS: Electron Internals: Building Chromium as a Library (2022). https://www.electronjs.org/blog/electron-internals-building-chromium-as-a-library
Fu, Y., Bauman, E., Quinonez, R., Lin, Z.: SGX-LAPD: thwarting controlled side channel attacks via enclave verifiable page faults. In: RAID (2017)
García, C.P., Brumley, B.B.: Constant-time callees with variable-time callers. In: USENIX Security Symposium (2017)
Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache attacks on intel SGX. In: EuroSec (2017)
Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS (2017)
Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed JavaScript. In: ESORICS (2015)
Gruss, D., et al.: Page cache attacks. In: CCS (2019)
Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing SMAP and kernel ASLR. In: CCS (2016)
Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)
halolinux: Page Cache Readahead (2022). https://www.halolinux.us/kernel-architecture/page-cache-readahead.html
Harnik, D., Pinkas, B., Shulman-Peleg, A.: Side channels in cloud services, the case of deduplication in cloud storage. IEEE Secur. Privacy 8(6), 40–47 (2010)
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: S &P (2013)
Moser, J.R.: Optimizing Linker Load Times (2006). https://lwn.net/Articles/192624/
Corbet, J.: Fixing page-cache side channels, second attempt (2019). https://lwn.net/Articles/778437/
Keelveedhi, S., Bellare, M., Ristenpart, T.: DupLESS: server-aided encryption for deduplicated storage. In: USENIX Security Symposium (2013)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Li, G., et al.: SCNet: A Neural Network for Automated Side-Channel Attack. arXiv:2008.00476 (2020)
Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: USENIX Security Symposium (2016)
Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS (2017)
Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2
Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: CHES (2017)
nxmnpg.lemoda: Manual Pages - LD.LLD (2022). https://nxmnpg.lemoda.net/1/ld.lld
Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS (2015)
Page, D.: A note on side-channels resulting from dynamic compilation. Cryptology ePrint archive, Report 2006/349 (2006)
Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: USENIX Security Symposium (2015)
Rechberger, C., Oswald, E.: Practical template attacks. In: WISA (2004)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS (2009)
Ueyama, R.: lld: A Fast, Simple and Portable Linker (2017). https://llvm.org/devmtg/2017-10/slides/Ueyama-lld.pdf
Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education, London (2012)
Saileshwar, G., Fletcher, C.W., Qureshi, M.: Streamline: a fast, flushless cache covert-channel attack by enabling asynchronous collusion. In: ASPLOS (2021)
Schwarz, M., Lackner, F., Gruss, D.: JavaScript template attacks: automatically inferring host information for targeted exploits. In: NDSS (2019)
Schwarz, M., Lipp, M., Canella, C.: misc0110/PTEditor: a small library to modify all page-table levels of all processes from user space for x86_64 and ARMv8 (2018). https://github.com/misc0110/PTEditor
Schwarz, M., et al.: KeyDrown: eliminating software-based keystroke timing side-channel attacks. In: NDSS (2018)
Schwarzl, M., Canella, C., Gruss, D., Schwarz, M.: Specfuscator: evaluating branch removal as a spectre mitigation. In: FC (2021)
Schwarzl, M., Kraft, E., Lipp, M., Gruss, D.: Remote page deduplication attacks. In: NDSS (2022)
Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: NDSS (2017)
Simon, L., Chisnall, D., Anderson, R.: What you get is what you C: controlling side effects in mainstream C compilers. In: EuroS &P (2018)
Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium (2001)
statcounter Global Stats: Browser Market Share Worldwide (2022). https://gs.statcounter.com/
Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: EuroSys (2011)
Van Bulck, J., Weichbrodt, N., Kapitza, R., Piessens, F., Strackx, R.: Telling your secrets without page faults: stealthy page table-based attacks on enclaved execution. In: USENIX Security Symposium (2017)
Van Cleemput, J., De Sutter, B., De Bosschere, K.: Adaptive compiler strategies for mitigating timing side channel attacks. TDSC 17(1), 35–49 (2017)
Van Schaik, S., Giuffrida, C., Bos, H., Razavi, K.: Malicious management unit: why stopping cache attacks in software is harder than you think. In: USENIX Security Symposium (2018)
Viswanathan, V.: Disclosure of Hardware Prefetcher Control on Some Intel Processors (2014). https://web.archive.org/web/20160304031330/https://software.intel.com/en-us/articles/disclosure-of-hw-prefetcher-control-on-some-intel-processors
Wajahat, A., Imran, A., Latif, J., Nazir, A., Bilal, A.: A novel approach of unprivileged keylogger detection. In: iCoMET (2019)
Wang, D., et al.: Unveiling your keystrokes: a cache-based side-channel attack on graphics libraries. In: NDSS (2019)
Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: CacheD: identifying cache-based timing channels in production software. In: USENIX (2017)
Webnicer Ltd: chrome-downloads (2022). https://github.com/webnicer/chrome-downloads/
Weiser, S., Spreitzer, R., Bodner, L.: Single trace attack against RSA key generation in intel SGX SSL. In: AsiaCCS (2018)
Wichelmann, J., Moghimi, A., Eisenbarth, T., Sunar, B.: MicroWalk: a framework for finding side channels in binaries. In: ACSAC (2018)
Wichelmann, J., Sieck, F., Pätschke, A., Eisenbarth, T.: Microwalk-ci: practical side-channel analysis for javascript applications. arXiv preprint arXiv:2208.14942 (2022)
Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: S &P (2015)
Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: CCSW (2011)
Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)
Yuan, Y., Pang, Q., Wang, S.: Automated Side Channel Analysis of Media Software with Manifold Learning. arXiv preprint arXiv:2112.04947 (2021)
Zhang, K., Wang, X.: Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. In: USENIX Security Symposium (2009)
Acknowledgments
We want to thank our anonymous reviewers for valueable feedback on the draft. This work was supported by a generous gift from Red Hat Research. We want to thank Hanna Müller, Claudio Canella, Michael Schwarz and Moritz Lipp for valuable feedback. Any opinions or recommendations expressed are those of the authors and do not necessarily reflect the views of the funding parties.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Schwarzl, M., Kraft, E., Gruss, D. (2023). Layered Binary Templating. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-33488-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33487-0
Online ISBN: 978-3-031-33488-7
eBook Packages: Computer ScienceComputer Science (R0)