A group of researchers from the Technical University of Graz (Austria), previously known for developing the MDS, NetSpectre, Throwhammer and ZombieLoad attacks, published a new method of attack (CVE-2021-3714) through third-party channels on the Memory-Deduplication mechanism, which allows to determine the presence in memory of certain data, leak byte-by-byte memory contents, or define a memory layout to bypass Address Randomization (ASLR) protection. The new method differs from the previously demonstrated variants of attacks on the deduplication mechanism by carrying out an attack from an external host using as a criterion changes in the response time to requests sent by the attacker via the HTTP/1 and HTTP/2 protocols. The possibility of carrying out the attack has been demonstrated for servers based on Linux and Windows.
Attacks on the memory deduplication engine use the difference in write processing time as a channel for leaking information in situations where a data change causes the copy-on-write (COW) mechanism to clone the deduplicated memory page. During operation, the kernel detects identical memory pages from different processes and merges them, mapping identical memory pages into one area of physical memory to store only one copy. When one of the processes tries to change the data associated with deduplicated pages, an exception (page fault) occurs, and using the Copy-On-Write mechanism, a separate copy of the memory page is automatically created, which is assigned to the process. It takes extra time to complete the copy, which may be an indication that the data has been altered by another process.
The researchers showed that the delays resulting from the operation of the COW mechanism can be caught not only locally, but also by analyzing the change in the time of delivery of responses over the network. Several methods have been proposed for determining the contents of memory from a remote host through the analysis of the execution time of requests via the HTTP/1 and HTTP/2 protocols. To save the selected templates, typical web applications are used that store the information received in requests in memory.
The general principle of the attack is to fill the memory page on the server with data potentially repeating the contents of the memory page already on the server. The attacker then waits for the kernel to dedupe and merge the memory page before modifying the controlled duplicate of the data and evaluating the response time to determine if the hit was successful.
In the course of the experiments, the maximum information leakage rate was 34.41 bytes per hour when attacking through the global network and 302.16 bytes per hour when attacking through the local network, which is faster than other methods of extracting data through third-party channels (for example, when attacking NetSpectre, the data transfer rate is 7.5 bytes at one o'clock).
Three working variants of the attack are proposed. The first option allows you to determine the data in the memory of the web server that is using Memcached. The attack comes down to loading certain data sets into the Memcached storage, clearing the deduplicated block, rewriting the same element, and creating a condition for the occurrence of COW copying by changing the contents of the block. During the experiment with Memcached, it took 166.51 seconds to determine the version of libc installed on the system running in the virtual machine.
The second option made it possible to find out the contents of records in the MariaDB DBMS, using the InnoDB storage, by recreating the contents byte by byte. The attack is made by sending specially modified requests, resulting in single-byte mismatches in memory pages and analyzing the reaction time to determine that the guess about the contents of the byte was correct. The rate of such a leak is low and amounts to 1.5 bytes per hour when attacked from a local network. The advantage of the method is that it can be used to recover unknown contents of memory.
The third option made it possible to completely bypass the KASLR protection mechanism in 4 minutes and obtain information about the offset in the memory of the virtual machine kernel image, in a situation where the offset address is in a memory page in which other data does not change. The attack was carried out from a host located 14 hops away from the attacked system. Code examples for the presented attacks are promised to be published on GitHub.
Source: opennet.ru