[Info-vax] Page cache side-channel attack revealed
Brian_R
brian.a.reiter at gmail.com
Mon Jan 7 05:05:37 EST 2019
>
> |"We present a set of local attacks that work entirely without any timers,
> |utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on
> |Windows) to elicit page cache information," wrote the researchers. "We also
> |show that page cache metadata can leak to a remote attacker over a network
> |channel, producing a stealthy covert channel between a malicious local
> |sender process and an external attacker."
>
I haven't looked too closely but the QueryWorkingSetEx requires a process with PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access rights. I'd be more concerned as to why the attacker can get those rights as by that point they're already likely to be in a position to cause grief. It also looks as though the linux issues have been fixed.
I suppose any highly privileged on any OS can do something similar, if the cache metadata can be extracted from the returned information.
More information about the Info-vax
mailing list