SMoTherSpectre: exploiting speculative execution through port contention

Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do n...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:arXiv.org 2019-09
Hauptverfasser: Bhattacharyya, Atri, Sandulescu, Alexandra, Neugschwandtner, Matthias, Sorniotti, Alessandro, Falsafi, Babak, Payer, Mathias, Kurmus, Anil
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Bhattacharyya, Atri
Sandulescu, Alexandra
Neugschwandtner, Matthias
Sorniotti, Alessandro
Falsafi, Babak
Payer, Mathias
Kurmus, Anil
description Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.
doi_str_mv 10.48550/arxiv.1903.01843
format Article
fullrecord <record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_1903_01843</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2188498871</sourcerecordid><originalsourceid>FETCH-LOGICAL-a521-c990d5d542e3e4efe00875db1836b095e8720c9d2a327468926e6b1915cc7b283</originalsourceid><addsrcrecordid>eNotj1FLwzAUhYMgOOZ-gE8WfG5NbpI28U2GusHEh_W9pOnd2lGbmqZj_nu7zad7-Dgc7kfIA6OJUFLSZ-NPzTFhmvKEMiX4DZkB5yxWAuCOLIbhQCmFNAMp-Yystp8ur9Fve7TB40uEp751TWi6fTRMbGxNaI444SmHxnVRqL0b93XUOx8i67qA3Znfk9udaQdc_N85yd_f8uUq3nx9rJevm9hIYLHVmlaykgKQo8AdUqoyWZVM8bSkWqLKgFpdgeGQiVRpSDEtmWbS2qwExefk8Tp70Sx633wb_1ucdYuL7tR4ujZ6735GHEJxcKPvpp8KYEoJrVTG-B_bYVg-</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2188498871</pqid></control><display><type>article</type><title>SMoTherSpectre: exploiting speculative execution through port contention</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Bhattacharyya, Atri ; Sandulescu, Alexandra ; Neugschwandtner, Matthias ; Sorniotti, Alessandro ; Falsafi, Babak ; Payer, Mathias ; Kurmus, Anil</creator><creatorcontrib>Bhattacharyya, Atri ; Sandulescu, Alexandra ; Neugschwandtner, Matthias ; Sorniotti, Alessandro ; Falsafi, Babak ; Payer, Mathias ; Kurmus, Anil</creatorcontrib><description>Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.1903.01843</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Computer Science - Cryptography and Security ; Encryption</subject><ispartof>arXiv.org, 2019-09</ispartof><rights>2019. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,777,781,882,27906</link.rule.ids><backlink>$$Uhttps://doi.org/10.1145/3319535.3363194$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.48550/arXiv.1903.01843$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Bhattacharyya, Atri</creatorcontrib><creatorcontrib>Sandulescu, Alexandra</creatorcontrib><creatorcontrib>Neugschwandtner, Matthias</creatorcontrib><creatorcontrib>Sorniotti, Alessandro</creatorcontrib><creatorcontrib>Falsafi, Babak</creatorcontrib><creatorcontrib>Payer, Mathias</creatorcontrib><creatorcontrib>Kurmus, Anil</creatorcontrib><title>SMoTherSpectre: exploiting speculative execution through port contention</title><title>arXiv.org</title><description>Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.</description><subject>Computer Science - Cryptography and Security</subject><subject>Encryption</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNotj1FLwzAUhYMgOOZ-gE8WfG5NbpI28U2GusHEh_W9pOnd2lGbmqZj_nu7zad7-Dgc7kfIA6OJUFLSZ-NPzTFhmvKEMiX4DZkB5yxWAuCOLIbhQCmFNAMp-Yystp8ur9Fve7TB40uEp751TWi6fTRMbGxNaI444SmHxnVRqL0b93XUOx8i67qA3Znfk9udaQdc_N85yd_f8uUq3nx9rJevm9hIYLHVmlaykgKQo8AdUqoyWZVM8bSkWqLKgFpdgeGQiVRpSDEtmWbS2qwExefk8Tp70Sx633wb_1ucdYuL7tR4ujZ6735GHEJxcKPvpp8KYEoJrVTG-B_bYVg-</recordid><startdate>20190926</startdate><enddate>20190926</enddate><creator>Bhattacharyya, Atri</creator><creator>Sandulescu, Alexandra</creator><creator>Neugschwandtner, Matthias</creator><creator>Sorniotti, Alessandro</creator><creator>Falsafi, Babak</creator><creator>Payer, Mathias</creator><creator>Kurmus, Anil</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20190926</creationdate><title>SMoTherSpectre: exploiting speculative execution through port contention</title><author>Bhattacharyya, Atri ; Sandulescu, Alexandra ; Neugschwandtner, Matthias ; Sorniotti, Alessandro ; Falsafi, Babak ; Payer, Mathias ; Kurmus, Anil</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a521-c990d5d542e3e4efe00875db1836b095e8720c9d2a327468926e6b1915cc7b283</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Encryption</topic><toplevel>online_resources</toplevel><creatorcontrib>Bhattacharyya, Atri</creatorcontrib><creatorcontrib>Sandulescu, Alexandra</creatorcontrib><creatorcontrib>Neugschwandtner, Matthias</creatorcontrib><creatorcontrib>Sorniotti, Alessandro</creatorcontrib><creatorcontrib>Falsafi, Babak</creatorcontrib><creatorcontrib>Payer, Mathias</creatorcontrib><creatorcontrib>Kurmus, Anil</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Bhattacharyya, Atri</au><au>Sandulescu, Alexandra</au><au>Neugschwandtner, Matthias</au><au>Sorniotti, Alessandro</au><au>Falsafi, Babak</au><au>Payer, Mathias</au><au>Kurmus, Anil</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>SMoTherSpectre: exploiting speculative execution through port contention</atitle><jtitle>arXiv.org</jtitle><date>2019-09-26</date><risdate>2019</risdate><eissn>2331-8422</eissn><abstract>Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.1903.01843</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2019-09
issn 2331-8422
language eng
recordid cdi_arxiv_primary_1903_01843
source arXiv.org; Free E- Journals
subjects Computer Science - Cryptography and Security
Encryption
title SMoTherSpectre: exploiting speculative execution through port contention
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-18T04%3A35%3A38IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=SMoTherSpectre:%20exploiting%20speculative%20execution%20through%20port%20contention&rft.jtitle=arXiv.org&rft.au=Bhattacharyya,%20Atri&rft.date=2019-09-26&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.1903.01843&rft_dat=%3Cproquest_arxiv%3E2188498871%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2188498871&rft_id=info:pmid/&rfr_iscdi=true