A group of researchers from the Free University of Amsterdam and ETH Zurich have developed a network attack technique (Network Cache ATtack), which allows, using data analysis methods through third-party channels, to remotely determine the keys pressed by the user while working in an SSH session. The problem appears only on servers that use technologies (Remote direct memory access) and (Data-Direct I/O).
Intel that the attack is difficult to implement in practice, since it requires the attacker to have access to the local network, sterile conditions, and host communication using RDMA and DDIO technologies, which are usually used in isolated networks, for example, in which computing clusters operate. The issue is rated as Minor Severity (CVSS 2.6, ) and recommended not to enable DDIO and RDMA on LANs that do not have a security perimeter and allow untrusted clients to connect. DDIO has been used in Intel server processors since 2012 (Intel Xeon E5, E7 and SP). Systems based on AMD and non-AMD processors are not affected as they do not support storing network traffic data in the CPU cache.
The method used to attack is reminiscent of the "", allowing you to change the contents of individual bits in RAM through the manipulation of network packets in systems with RDMA. The new problem is a consequence of work on minimizing delays when using the DDIO mechanism, which provides direct interaction of the network card and other peripheral devices with the processor cache (during the processing of network card packets, data is stored in the cache and retrieved from the cache without accessing memory).
Thanks to DDIO, the processor cache also includes data generated during malicious network activity. The NetCAT attack relies on the fact that network cards actively cache data, and the packet processing speed in modern local networks is sufficient to influence cache filling and determine the presence or absence of data in the cache through the analysis of data transmission delays.
When using interactive sessions, such as via SSH, the network packet is sent immediately after the key is pressed, i.e. delays between packets correlate with delays between keystrokes. Using the methods of statistical analysis and taking into account that the delays between presses usually depend on the position of the key on the keyboard, it is possible to recreate the input information with a certain probability. For example, most people usually type "s" after "a" much faster than "g" after "s".
The information stored in the processor cache also makes it possible to judge the exact time of packets sent by the network card when processing connections such as SSH. By generating a certain traffic flow, an attacker can determine when new data appears in the cache associated with certain activity in the system. To parse the contents of the cache, the method is used , which involves filling the cache with a reference set of values ββand measuring the access time to them when refilling to determine changes.
It is not excluded that the proposed technique can be used to determine not only keystrokes, but also other types of confidential data that settle in the CPU cache. Potentially, an attack can be carried out with RDMA disabled, but without RDMA, its effectiveness is reduced, and execution is much more complicated. It is also possible to use DDIO to organize a covert communication channel used to transfer data after a server is compromised, bypassing systems to ensure security.
Source: opennet.ru