Researchers from a combination of academic and corporate backgrounds have disclosed a newly discovered side-channel attack technique that targets the operating system page cache and affects devices regardless of hardware architecture or OS.
"The page cache is a pure software cache that contains all disk-backed pages, including program binaries, shared libraries,and other files, and our attacks thus work across cores and CPUs," warns a new report issued by researchers from Graz University of Technology, Boston University, NetApp, CrowdStrike and Intel Corporation.
The technique allows unprivileged actors to monitor instances of memory access involving certain processes, thereby enabling them to execute a variety of local and remote attacks. Under certain instances, malicious hackers could potentially use this exploit to set up covert channels between segregated processes, engage in clickjacking (via UI redressing), perform keystroke-timing attacks, steal passwords from vulnerable PHP scripts, and remotely leak information across a network.
"We present a set of local attacks that work entirely without any timers, utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on Windows) to elicit page cache information," the paper states. "We also show that page cache metadata can leak to a remote attacker over a network channel, producing a stealthy covert channel between a malicious local sender process and an external attacker."
Although the researchers focused on Linux and Windows-based systems, reports state that the technique could be applied against MacOS machines as well, since all modern operating systems implement a page cache.
In their paper, researchers suggest a number of mitigations, including
modifying the operating system implementation and instituting certain page replacement algorithms to "reduce the applicability of our attack while simultaneously improving the system performance."
The researchers said Microsoft's and Linux's security teams are working on developing fixes for the underlying vulnerability that makes this side-channel attack possible. Microsoft reportedly already addressed the issue in its Windows 10 Insider Preview Build 18305, but plans to issue a public fix later this year.
Meanwhile, the Linux version of the page cache bug has reportedly been designated as CVE-2019-5489. (Chief Linux developer Linus Torvalds addresses the issue here.) The MITRE Corporation's official CVE entry describes the flaw as follows: "The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information... Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server."
"This attack class presents a significantly lower complexity barrier than previous hardware-based side-channel attacks and can easily be put into practice by threat actors, both nation state as well as cyber gangs," said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks." In particular, password recovery via unprivileged applications is a major worry as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless."
"There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag," Hahad continued.
"This is some really fascinating research. The team has demonstrated how a fundamental concept in modern OS architecture can be abused," said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT). "This problem stems from overly permissive operating system designs giving unprivileged processes too much access to certain cache related system calls. The good thing is that these techniques are not rooted in hardware and can in fact be mostly mitigated by disallowing unprivileged use of specific system calls and limiting the disclosure of sensitive information."
