[Info-vax] Page cache side-channel attack revealed
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Jan 7 08:28:08 EST 2019
On 2019-01-07, Brian_R <brian.a.reiter at gmail.com> wrote:
>
>>
>> |"We present a set of local attacks that work entirely without any timers,
>> |utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on
>> |Windows) to elicit page cache information," wrote the researchers. "We also
>> |show that page cache metadata can leak to a remote attacker over a network
>> |channel, producing a stealthy covert channel between a malicious local
>> |sender process and an external attacker."
>>
>
> I haven't looked too closely but the QueryWorkingSetEx requires a process with PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access rights. I'd be more concerned as to why the attacker can get those rights as by that point they're already likely to be in a position to cause grief. It also looks as though the linux issues have been fixed.
>
Once the paper is released, and we have seen the reaction to it, I suppose
that is when we will know whether it's a real threat or not.
> I suppose any highly privileged on any OS can do something similar, if the cache metadata can be extracted from the returned information.
According to the article, it appears the Windows change was to restrict
access so only more privileged programs could access the information.
Once we know the details of the attacks, I was wondering if the same
required information would be available to a low or none privileged
user on VMS.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list