
Page Cache Attacks - MrXOR
https://arxiv.org/abs/1901.01161
======
MrXOR
Abstract:

We present a new hardware-agnostic side-channel attack that targets one of the
most fundamental software caches in modern computer systems: the operating
system page cache. The page cache is a pure software cache that contains all
disk-backed pages, including program binaries, shared libraries, and other
files, and our attacks thus work across cores and CPUs. Our side-channel
permits unprivileged monitoring of some memory accesses of other processes,
with a spatial resolution of 4KB and a temporal resolution of 2 microseconds
on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on
Windows (restricted to 223 measurements per second); this is roughly the same
order of magnitude as the current state-of-the-art cache attacks. We
systematically analyze our side channel by demonstrating different local
attacks, including a sandbox bypassing high-speed covert channel, timed user-
interface redressing attacks, and an attack recovering automatically generated
temporary passwords. We further show that we can trade off the side channel's
hardware agnostic property for remote exploitability. We demonstrate this via
a low profile remote covert channel that uses this page-cache side-channel to
exfiltrate information from a malicious sender process through innocuous
server requests. Finally, we propose mitigations for some of our attacks,
which have been acknowledged by operating system vendors and slated for future
security patches.

------
MrXOR
Kernel patch:

[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e)

