Side-Channel Attack Targets Windows, Linux
A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions.
In explaining the attack, authors wrote: “Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks.”
After detailing background information on hardware caches, cache attacks, and software caches, the authors provide an attack threat model in which the researchers “assume that attacker and victim have access to the same operating system page cache. On Linux, we also assume that the attacker has read access to the target page, which may be any page of any attacker-accessible file on the system.”
In addition to mitigation strategies, the researchers also stated that they responsibly disclosed the vulnerability to Microsoft, and the company said it will roll out a fix.
“This attack class presents a significantly lower complexity barrier than previous hardware-based, side-channel attacks and can easily be put into practice by threat actors, both nation-state as well as cyber-gangs,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
“In particular, password recovery via unprivileged applications is a major worry, as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless. There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag,” said Hahad.