skip to main content
10.1145/3545948.3545965acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article

Exploiting Metaobjects to Reinforce Data Leakage Attacks

Published: 26 October 2022 Publication History

Abstract

Reflective features in modern programming languages allow programs to introspect and modify their own structures and behavior during runtime. As these self-referential capabilities are frequently adopted in practice, security of the reflective systems becomes crucial. In this paper, we explore an adversary against reflective systems with access to a data leakage channel, which has previously been considered impractical to pose a realistic threat. In particular, we show that a crucial component of reflection, referred to as metaobjects, can be exploited to reinforce these data leakage channels. We introduce a novel attack strategy that exploits certain metaobjects as in-memory gadgets to leak data in a selective and target-oriented manner, consequentially eliminating the unnecessary sampling procedures inevitable in naive data leakage attacks. Such approach significantly optimizes the data space subject to extraction, elevating the practicality of the underlying data leakage channel. As an instantiation of our strategy, we propose and demonstrate SMDL, a framework that exploits reflection to reinforce Meltdown-type attacks to steal valuable data from the victim’s memory. To demonstrate the efficacy of our attack, we implement SMDL against two different target applications, cryptographic library and deep learning service, and show that the secret key and neural network can be extracted with high accuracy and efficiency. Finally, we suggest metaobject obfuscation techniques to mitigate such exploitation.

References

[1]
Martín Abadi, Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen, Craig Citro, Greg S. Corrado, Andy Davis, Jeffrey Dean, Matthieu Devin, 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. https://www.tensorflow.org/
[2]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution. In 27th USENIX Security Symposium (USENIX Security 18). USENIX, Baltimore, MD, USA, 991–1008.
[3]
Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A systematic evaluation of transient execution attacks and defenses. In 28th USENIX Security Symposium (USENIX Security 19). 249–266.
[4]
Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, 2019. Fallout: Leaking data on meltdown-resistant cpus. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, 769–784.
[5]
Claudio Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, and Daniel Gruss. 2020. KASLR: Break it, fix it, repeat. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 481–493.
[6]
François Chollet. 2017. Xception: Deep learning with depthwise separable convolutions. In Proceedings of the IEEE conference on computer vision and pattern recognition. 1251–1258.
[7]
François Chollet 2015. Keras. https://keras.io
[8]
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum. 2004. Understanding data lifetime via whole system simulation. In USENIX Security Symposium. 321–336.
[9]
Common Weakness Enumeration (CWE). 2006. CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer. https://cwe.mitre.org/data/definitions/212
[10]
Common Weakness Enumeration (CWE). 2006. CWE-226: Sensitive Information in Resource Not Removed Before Reuse. https://cwe.mitre.org/data/definitions/226
[11]
Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition. IEEE, 248–255.
[12]
ERPScan. 2018. Information disclosure vulnerability archives. https://erpscan.io/tag/information-disclosure-vulnerability/
[13]
Richard P. Gabriel, Jon L. White, and Daniel G. Bobrow. 1991. CLOS: Integrating object-oriented and functional programming. Commun. ACM 34, 9 (1991), 29–38.
[14]
Brendan Gregg. 2018. KPTI/KAISER Meltdown Initial Performance Regressions. https://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html
[15]
Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. 2017. Kaslr is dead: long live kaslr. In International Symposium on Engineering Secure Software and Systems. Springer, 161–176.
[16]
Keith Harrison and Shouhuai Xu. 2007. Protecting cryptographic keys from memory disclosure attacks. In 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’07). IEEE, 137–143.
[17]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770–778.
[18]
Benedict Herzog, Stefan Reif, Julian Preis, Wolfgang Schröder-Preikschat, and Timo Hönig. 2021. The Price of Meltdown and Spectre: Energy Overhead of Mitigations at Operating System Level. In Proceedings of the 14th European Workshop on Systems Security. 8–14.
[19]
Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4700–4708.
[20]
Mehmet Sinan Inci, Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. 2016. Co-location detection on the cloud. In International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, 19–34.
[21]
Insecure.org. 1996. Solaris (and others) ftpd Core Dump Bug. http://insecure.org/sploits/ftpd.pasv
[22]
Insecure.org. 1997. Security Dynamics FTP server core problem. http://insecure.org/sploits/solaris.secdynamics.core
[23]
Mehmet Kayaalp, Dmitry Ponomarev, Nael Abu-Ghazaleh, and Aamer Jaleel. 2016. A high-resolution side-channel attack on last-level cache. In 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 1–6.
[24]
Auguste Kerckhoffs. 1883. La cryptographic militaire. Journal des sciences militaires(1883), 5–38.
[25]
Vadim Kolontsov. 1997. WU-FTPD core dump vulnerability (the old patch doesn’t work). https://insecure.org/sploits/ftp.coredump2
[26]
Michael Larabel. 2017. Linux 4.12 To Enable KASLR By Default. https://www.phoronix.com/scan.php?page=news_item&px=KASLR-Default-Linux-4.12
[27]
Yue Li, Tian Tan, and Jingling Xue. 2019. Understanding and analyzing java reflection. ACM Transactions on Software Engineering and Methodology (TOSEM) 28, 2(2019), 1–50.
[28]
LinuxReviews. 2019. The Combined Performance Penalty of Intel CPU bugs Zombieload, Meltdown, Spectre and L1TF. https://linuxreviews.org/The_Combined_Performance_Penalty_of_Intel_CPU_bugs_Zombieload,_Meltdown,_Spectre_and_L1TF
[29]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, 2018. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium (USENIX Security 18). 973–990.
[30]
Torbjörn Pettersson. 2007. Cryptographic key recovery from linux memory dumps. Chaos Communication Camp 2007 (2007).
[31]
Andrew Prout, William Arcand, David Bestor, Bill Bergeron, Chansup Byun, Vijay Gadepally, Michael Houle, Matthew Hubbell, Michael Jones, Anna Klein, and others.2018. Measuring the impact of spectre and meltdown. In 2018 IEEE High Performance extreme Computing Conference (HPEC). IEEE, 1–5.
[32]
PyCrypto. 2013. PyCrypto - The Python Cryptography Toolkit. http://www.pycrypto.org/
[33]
Hany Ragab, Alyssa Milburn, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2021. Crosstalk: Speculative data leaks across cores are real. In IEEE Symposium on Security and Privacy. Institute of Electrical and Electronics Engineers Inc.
[34]
Armin Rigo and Samuele Pedroni. 2006. PyPy’s Approach to Virtual Machine Construction. In Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications (Portland, Oregon, USA) (OOPSLA ’06). Association for Computing Machinery, New York, NY, USA, 944–953. https://doi.org/10.1145/1176617.1176753
[35]
Stephan Van Schaik, Andrew Kwong, Daniel Genkin, and Yuval Yarom. 2020. SGAxe: How SGX fails in practice. (2020). unpublished.
[36]
Stephan Van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. RIDL: Rogue in-flight data load. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 88–105.
[37]
Stephan Van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, and Yuval Yarom. 2021. CacheOut: Leaking data on Intel CPUs via cache evictions. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 339–354.
[38]
Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. ZombieLoad: Cross-privilege-boundary data sampling. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, London, UK, 753–768.
[39]
Nikolay A. Simakov, Martins D. Innus, Matthew D. Jones, Joseph P. White, Steven M. Gallo, Robert L. DeLeon, and Thomas R. Furlani. 2018. Effect of Meltdown and Spectre Patches on the Performance of HPC Applications. arxiv:1801.04329 [cs.PF]
[40]
Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. arxiv:1409.1556 [cs.CV]
[41]
Brian Cantwell Smith. 1984. Reflection and semantics in Lisp. In Proceedings of the 11th ACM SIGACT-SIGPLAN symposium on Principles of programming languages. 23–35.
[42]
Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 2013 IEEE Symposium on Security and Privacy. IEEE, 574–588.
[43]
Victor Stinner. 2016. Python 3.6 dict becomes compact and gets a private version; and keywords become ordered. https://mail.python.org/pipermail/python-dev/2016-September/146327.html
[44]
Giorgos Vasiliadis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. PixelVault: Using GPUs for securing cryptographic operations. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 1131–1142.
[45]
Common Vulnerabilities and Exposures (CVE). 2004. CVE-2004-2331. https://nvd.nist.gov/vuln/detail/CVE-2004-2331
[46]
Common Vulnerabilities and Exposures (CVE). 2005. CVE-2005-0530. https://nvd.nist.gov/vuln/detail/cve-2005-0530
[47]
Common Vulnerabilities and Exposures (CVE). 2012. CVE-2012-3174. https://nvd.nist.gov/vuln/detail/CVE-2012-3174
[48]
Common Vulnerabilities and Exposures (CVE). 2012. CVE-2012-4681. https://nvd.nist.gov/vuln/detail/CVE-2012-4681
[49]
Common Vulnerabilities and Exposures (CVE). 2013. CVE-2013-0422. https://nvd.nist.gov/vuln/detail/CVE-2013-0422
[50]
Common Vulnerabilities and Exposures (CVE). 2014. CVE-2014-0069. https://nvd.nist.gov/vuln/detail/cve-2014-0069
[51]
Common Vulnerabilities and Exposures (CVE). 2014. CVE-2014-0160. https://nvd.nist.gov/vuln/detail/cve-2014-0160
[52]
Common Vulnerabilities and Exposures (CVE). 2014. CVE-2014-4653. https://nvd.nist.gov/vuln/detail/cve-2014-4653
[53]
Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution. (2018). unpublished.
[54]
Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In 23rd USENIX Security Symposium (USENIX Security 14). 719–732.
[55]
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-tenant side-channel attacks in PaaS clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 990–1003.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
October 2022
536 pages
ISBN:9781450397049
DOI:10.1145/3545948
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. meltdown
  2. memory disclosure
  3. reflective programming

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

RAID 2022

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 180
    Total Downloads
  • Downloads (Last 12 months)24
  • Downloads (Last 6 weeks)3
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media