[Info-vax] Page cache side-channel attack revealed

John Reagan xyzzy1959 at gmail.com
Mon Jan 7 09:06:30 EST 2019 

On Monday, January 7, 2019 at 8:28:10 AM UTC-5, Simon Clubley wrote:
> On 2019-01-07, Brian_R <brian.a.reiter at gmail.com> wrote:
> >
> >> 
> >> |"We present a set of local attacks that work entirely without any timers,
> >> |utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on
> >> |Windows) to elicit page cache information," wrote the researchers. "We also
> >> |show that page cache metadata can leak to a remote attacker over a network
> >> |channel, producing a stealthy covert channel between a malicious local
> >> |sender process and an external attacker."
> >> 
> >
> > I haven't looked too closely but the QueryWorkingSetEx requires a process with PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access rights. I'd be more concerned as to why the attacker can get those rights as by that point they're already likely to be in a position to cause grief. It also looks as though the linux issues have been fixed.
> >
> 
> Once the paper is released, and we have seen the reaction to it, I suppose
> that is when we will know whether it's a real threat or not.
> 
> > I suppose any highly privileged on any OS can do something similar, if the cache metadata can be extracted from the returned information.   
> 
> According to the article, it appears the Windows change was to restrict
> access so only more privileged programs could access the information.
> Once we know the details of the attacks, I was wondering if the same
> required information would be available to a low or none privileged
> user on VMS.
> 
> Simon.
> 
> -- 
> Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
> Microsoft: Bringing you 1980s technology to a 21st century world

Unless, you have GROUP or WORLD, you are restricted from asking but SHOW SYSTEM and MONITOR PROCESS does give some coarse information.

$ pipe show system | search sys$pipe security_server
2122B0AB SECURITY_SERVER HIB     10      151   0 00:00:25.03       509    694

$ show proc/id=2122B0AB
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

$ write sys$output f$getjpi("2122B0AB","wsextent")
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
 \WSEXTENT\

More information about the Info-vax mailing list