SMoTherSpectre: exploiting speculative execution through port contention
Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do n...
Gespeichert in:
Veröffentlicht in: | arXiv.org 2019-09 |
---|---|
Hauptverfasser: | , , , , , , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
container_end_page | |
---|---|
container_issue | |
container_start_page | |
container_title | arXiv.org |
container_volume | |
creator | Bhattacharyya, Atri Sandulescu, Alexandra Neugschwandtner, Matthias Sorniotti, Alessandro Falsafi, Babak Payer, Mathias Kurmus, Anil |
description | Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc. |
doi_str_mv | 10.48550/arxiv.1903.01843 |
format | Article |
fullrecord | <record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_1903_01843</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2188498871</sourcerecordid><originalsourceid>FETCH-LOGICAL-a521-c990d5d542e3e4efe00875db1836b095e8720c9d2a327468926e6b1915cc7b283</originalsourceid><addsrcrecordid>eNotj1FLwzAUhYMgOOZ-gE8WfG5NbpI28U2GusHEh_W9pOnd2lGbmqZj_nu7zad7-Dgc7kfIA6OJUFLSZ-NPzTFhmvKEMiX4DZkB5yxWAuCOLIbhQCmFNAMp-Yystp8ur9Fve7TB40uEp751TWi6fTRMbGxNaI444SmHxnVRqL0b93XUOx8i67qA3Znfk9udaQdc_N85yd_f8uUq3nx9rJevm9hIYLHVmlaykgKQo8AdUqoyWZVM8bSkWqLKgFpdgeGQiVRpSDEtmWbS2qwExefk8Tp70Sx633wb_1ucdYuL7tR4ujZ6735GHEJxcKPvpp8KYEoJrVTG-B_bYVg-</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2188498871</pqid></control><display><type>article</type><title>SMoTherSpectre: exploiting speculative execution through port contention</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Bhattacharyya, Atri ; Sandulescu, Alexandra ; Neugschwandtner, Matthias ; Sorniotti, Alessandro ; Falsafi, Babak ; Payer, Mathias ; Kurmus, Anil</creator><creatorcontrib>Bhattacharyya, Atri ; Sandulescu, Alexandra ; Neugschwandtner, Matthias ; Sorniotti, Alessandro ; Falsafi, Babak ; Payer, Mathias ; Kurmus, Anil</creatorcontrib><description>Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.1903.01843</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Computer Science - Cryptography and Security ; Encryption</subject><ispartof>arXiv.org, 2019-09</ispartof><rights>2019. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,777,781,882,27906</link.rule.ids><backlink>$$Uhttps://doi.org/10.1145/3319535.3363194$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.48550/arXiv.1903.01843$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Bhattacharyya, Atri</creatorcontrib><creatorcontrib>Sandulescu, Alexandra</creatorcontrib><creatorcontrib>Neugschwandtner, Matthias</creatorcontrib><creatorcontrib>Sorniotti, Alessandro</creatorcontrib><creatorcontrib>Falsafi, Babak</creatorcontrib><creatorcontrib>Payer, Mathias</creatorcontrib><creatorcontrib>Kurmus, Anil</creatorcontrib><title>SMoTherSpectre: exploiting speculative execution through port contention</title><title>arXiv.org</title><description>Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.</description><subject>Computer Science - Cryptography and Security</subject><subject>Encryption</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNotj1FLwzAUhYMgOOZ-gE8WfG5NbpI28U2GusHEh_W9pOnd2lGbmqZj_nu7zad7-Dgc7kfIA6OJUFLSZ-NPzTFhmvKEMiX4DZkB5yxWAuCOLIbhQCmFNAMp-Yystp8ur9Fve7TB40uEp751TWi6fTRMbGxNaI444SmHxnVRqL0b93XUOx8i67qA3Znfk9udaQdc_N85yd_f8uUq3nx9rJevm9hIYLHVmlaykgKQo8AdUqoyWZVM8bSkWqLKgFpdgeGQiVRpSDEtmWbS2qwExefk8Tp70Sx633wb_1ucdYuL7tR4ujZ6735GHEJxcKPvpp8KYEoJrVTG-B_bYVg-</recordid><startdate>20190926</startdate><enddate>20190926</enddate><creator>Bhattacharyya, Atri</creator><creator>Sandulescu, Alexandra</creator><creator>Neugschwandtner, Matthias</creator><creator>Sorniotti, Alessandro</creator><creator>Falsafi, Babak</creator><creator>Payer, Mathias</creator><creator>Kurmus, Anil</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20190926</creationdate><title>SMoTherSpectre: exploiting speculative execution through port contention</title><author>Bhattacharyya, Atri ; Sandulescu, Alexandra ; Neugschwandtner, Matthias ; Sorniotti, Alessandro ; Falsafi, Babak ; Payer, Mathias ; Kurmus, Anil</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a521-c990d5d542e3e4efe00875db1836b095e8720c9d2a327468926e6b1915cc7b283</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Encryption</topic><toplevel>online_resources</toplevel><creatorcontrib>Bhattacharyya, Atri</creatorcontrib><creatorcontrib>Sandulescu, Alexandra</creatorcontrib><creatorcontrib>Neugschwandtner, Matthias</creatorcontrib><creatorcontrib>Sorniotti, Alessandro</creatorcontrib><creatorcontrib>Falsafi, Babak</creatorcontrib><creatorcontrib>Payer, Mathias</creatorcontrib><creatorcontrib>Kurmus, Anil</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Bhattacharyya, Atri</au><au>Sandulescu, Alexandra</au><au>Neugschwandtner, Matthias</au><au>Sorniotti, Alessandro</au><au>Falsafi, Babak</au><au>Payer, Mathias</au><au>Kurmus, Anil</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>SMoTherSpectre: exploiting speculative execution through port contention</atitle><jtitle>arXiv.org</jtitle><date>2019-09-26</date><risdate>2019</risdate><eissn>2331-8422</eissn><abstract>Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.1903.01843</doi><oa>free_for_read</oa></addata></record> |
fulltext | fulltext |
identifier | EISSN: 2331-8422 |
ispartof | arXiv.org, 2019-09 |
issn | 2331-8422 |
language | eng |
recordid | cdi_arxiv_primary_1903_01843 |
source | arXiv.org; Free E- Journals |
subjects | Computer Science - Cryptography and Security Encryption |
title | SMoTherSpectre: exploiting speculative execution through port contention |
url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-18T04%3A35%3A38IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=SMoTherSpectre:%20exploiting%20speculative%20execution%20through%20port%20contention&rft.jtitle=arXiv.org&rft.au=Bhattacharyya,%20Atri&rft.date=2019-09-26&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.1903.01843&rft_dat=%3Cproquest_arxiv%3E2188498871%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2188498871&rft_id=info:pmid/&rfr_iscdi=true |