research-article

Public Access

Speculative Probing: Hacking Blind in the Spectre Era

Authors:

Georgios Portokalidis,

Cristiano GiuffridaAuthors Info & Claims

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Pages 1871 - 1885

https://doi.org/10.1145/3372297.3417289

Published: 02 November 2020 Publication History

Abstract

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-resistant. Moreover, the anomalously large number of crashes is often easily detectable. In this paper, we show that the Spectre era enables an attacker armed with a single memory corruption vulnerability to hack blind without triggering any crashes. Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects. Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectre-like attacks. The key idea behind speculative probing is to break Spectre mitigations using memory corruption and resurrect Spectre-style disclosure primitives to mount practical blind software exploits. To showcase speculative probing, we target the Linux kernel, a crash-sensitive victim that has so far been out of reach of blind attacks, mount end-to-end exploits that compromise the system with just-in-time code reuse and data-only attacks from a single memory write vulnerability, and bypass strong Spectre and strong randomization defenses. Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threat models to fully comprehend the attack surface of modern systems.

References

[1]

Mart'in Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In CCS .

[2]

Kristen Carlson Accardi. 2020. Function Granular KASLR. https://lwn.net/Articles/826539/

[3]

Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida Garc'ia, and Nicola Tuveri. 2019. Port contention for fun and profit. In IEEE S&P .

[4]

Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You can run but you can't read: Preventing disclosure exploits in executable code. In CCS .

[5]

Koustubha Bhat, Erik van der Kouwe, Herbert Bos, and Cristiano Giuffrida. 2019. ProbeGuard: Mitigating Probing Attacks Through Reactive Program Transformations. In ASPLOS.

[6]

Atri Bhattacharyya, Andrés Sánchez, Esmaeil M Koruyeh, Nael Abu-Ghazaleh, Chengyu Song, and Mathias Payer. 2020. SpecROP: Speculative Exploitation of ROP Chains. (2020).

[7]

David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely rerandomization for mitigating memory disclosures. In CCS .

[8]

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking blind. In IEEE S&P .

[9]

Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-oriented Programming: A New Class of Code-reuse Attack. In ASIACCS .

Digital Library

[10]

Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In S&P.

[11]

Kjell Braden, Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Stephen Crane, Michael Franz, and Per Larsen. 2016. Leakage-Resilient Layout Randomization for Mobile Devices. In NDSS .

[12]

Scott Brookes, Robert Denz, Martin Osterloh, and Stephen Taylor. 2016. ExOShim: Preventing Memory Disclosure Using Execute-Only Kernel Code. In ICCWS .

[13]

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019 a. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security .

[14]

Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, et almbox. 2019 b. Fallout: Leaking data on meltdown-resistant cpus. In CCS .

[15]

Claudio Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, and Daniel Gruss. 2016. KASLR: Break It, Fix It, Repeat. In ASIACCS .

[16]

Xi Chen, Herbert Bos, and Cristiano Giuffrida. 2017a. CodeArmor: Virtualizing the Code Space to Counter Disclosure Attacks. In EuroS&P.

[17]

Yaohui Chen, Dongli Zhang, Ruowen Wang, Rui Qiao, Ahmed M Azab, Long Lu, Hayawardh Vijayakumar, and Wenbo Shen. 2017b. NORAX: Enabling execute-only memory for COTS binaries on AArch64. In IEEE S&P .

[18]

Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos. 2019. Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks. In S&P.

[19]

Jonathan Corbet. 2018. Meltdown and Spectre mitigations: a February update. https://lwn.net/Articles/746551/

[20]

Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015a. Readactor: Practical code randomization resilient to memory disclosure. In IEEE S&P .

[21]

Stephen J Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015b. It's a TRaP: Table randomization and protection against function-reuse attacks. In CCS .

[22]

Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean Tullsen. 2017. Prime

[23]

Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX. In USENIX Security .

[24]

Isaac Evans, Sam Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. 2015. Missing the point(er): On the effectiveness of code pointer integrity. In IEEE S&P .

[25]

Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Jump over ASLR: Attacking branch predictors to bypass ASLR. In MICRO .

[26]

Dmitry Evtyushkin, Ryan Riley, Nael CSE Abu-Ghazaleh, ECE, and Dmitry Ponomarev. [n.d.]. BranchScope: A New Side-Channel Attack on Directional Branch Predictor. In ASPLOS'18 .

[27]

Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU. In S&P.

[28]

Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2020. TRRespass: Exploiting the Many Sides of Target Row Refresh. In S&P.

[29]

Robert Gawlik, Benjamin Kollenda, Philipp Koppe, Behrad Garmany, and Thorsten Holz. 2016. Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding. In NDSS .

[30]

C. Ge, L. Xu, W. Qiu, Z. Huang, J. Guo, G. Liu, and Z. Gong. [n.d.]. Optimized Password Recovery for SHA-512 on GPUs . In CSE'17 .

[31]

Jason Gionta, William Enck, and Per Larsen. 2016. Preventing kernel code-reuse attacks through disclosure resistant code diversification. In CNS .

[32]

Jason Gionta, William Enck, and Peng Ning. 2015. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In CODASPY .

[33]

Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In USENIX Security.

Digital Library

[34]

Enes Goktas, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Undermining Information Hiding (And What to do About it). In USENIX Security.

[35]

Enes Goktas, Benjamin Kollenda, Philipp Koppe, Erik Bosman, Georgios Portokalidis, Thorsten Holz, Herbert Bos, and Cristiano Giuffrida. 2018. Position-independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure. In EuroS&P.

[36]

Ben Gras, Cristiano Giuffrida, Michael Kurth, Herbert Bos, and Kaveh Razavi. 2020. ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures. In NDSS.

[37]

Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. In USENIX Security.

[38]

Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the Line: Practical Cache Attacks on the MMU. In NDSS.

[39]

Spyridoula Gravani, Mohammad Hedayati, John Criswell, and Michael L Scott. 2019. IskiOS: Lightweight defense against kernel-level code-reuse attacks. arXiv preprint arXiv:1903.04654 (2019).

[40]

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016b. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR. In CCS .

[41]

Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2016a. Rowhammer.js: A remote software-induced fault attack in Javascript. In DIMVA .

[42]

Jann Horn. 2018. Spectre Attacks: Exploiting Speculative Execution. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

[43]

Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In IEEE S&P .

[44]

Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical timing side channel attacks against kernel space ASLR. In IEEE S&P .

[45]

Intel. 2018. Speculative Execution Side Channel Mitigations. https://software.intel.com/security-software-guidance/api-app/sites/default/files/336996-Speculative-Execution-Side-Channel-Mitigations.pdf

[46]

Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. 2019. $$SPOILER$$: Speculative Load Hazards Boost Rowhammer and Cache Attacks. In USENIX Security .

[47]

Yeongjin Jang, Sangho Lee, and Taesoo Kim. 2016. Breaking kernel address space layout randomization with Intel TSX. In CCS .

[48]

Vasileios P Kemerlis, Michalis Polychronakis, and Angelos D Keromytis. 2014. ret2dir: Rethinking kernel isolation. In USENIX Security .

[49]

Vasileios P Kemerlis, Georgios Portokalidis, and Angelos D Keromytis. 2012. kGuard: lightweight kernel protection against return-to-user attacks. In USENIX Security .

[50]

Khaled N. Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. [n.d.]. SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation (DAC'19).

[51]

Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. arXiv preprint arXiv:1807.03757 (2018).

[52]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE S&P .

[53]

Benjamin Kollenda, Enes Goktas, Tim Blazytko, Philipp Koppe, Robert Gawlik, Radhesh Krishnan Konoth, Cristiano Giuffrida, Herbert Bos, and Thorsten Holz. 2017. Towards Automated Discovery of Crash-Resistant Primitives in Binaries. In DSN.

[54]

Koen Koning, Xi Chen, Herbert Bos, Cristiano Giuffrida, and Elias Athanasopoulos. 2017. No Need to Hide: Protecting Safe Regions on Commodity Hardware. In EuroSys.

[55]

Andrey Konovalov. 2017. Exploiting the Linux kernel via packet sockets. https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html

[56]

Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P Kemerlis, and Michalis Polychronakis. 2018. Compiler-assisted code randomization. In IEEE S&P .

[57]

Jakob Koschel, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2020. TagBleed: Breaking KASLR on the Isolated Kernel Address Space Using Tagged TLB. In EuroS&P.

[58]

Donghyun Kwon, Jangseop Shin, Giyeol Kim, Byoungyoung Lee, Yeongpil Cho, and Yunheung Paek. 2019. uXOM: Efficient eXecute-Only Memory on $$ARM$$ Cortex-M. In USENIX Security .

[59]

Moritz Lipp, Vedad Hadvz ić, Michael Schwarz, Arthur Perais, Clémentine Maurice, and Daniel Gruss. 2019. Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors. (2019).

[60]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In USENIX Security .

[61]

Hongjiu Lu, Michael Matz, Milind Girkar, Jan Hubiaka, Andreas Jaeger, and Mark Mitchell. 2018. System V Application Binary Interface AMD64 Architecture Processor Supplement (With LP64 and ILP32 Programming Models) Version 1.0 . https://github.com/hjl-tools/x86-psABI/wiki/x86--64-psABI-1.0.pdf

[62]

Kangjie Lu, Wenke Lee, Stefan Nürnberger, and Michael Backes. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In NDSS .

[63]

Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2016. What cannot be read, cannot be leveraged? revisiting assumptions of JIT-ROP defenses. In USENIX Security .

[64]

Giorgi Maisuradze and Christian Rossow. 2018a. Ret2Spec: Speculative Execution Using Return Stack Buffers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security .

Digital Library

[65]

Giorgi Maisuradze and Christian Rossow. 2018b. Speculose: Analyzing the security implications of speculative execution in CPUs. arXiv preprint arXiv:1801.04084 (2018).

[66]

Ahmad Moghimi, Thomas Eisenbarth, and Berk Sunar. 2018. MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations in SGX. In CT-RSA .

[67]

Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking Holes in Information Hiding. In USENIX Security.

[68]

Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. In CT-RSA .

[69]

Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel $$MPK$$). In USENIX ATC .

[70]

Marios Pomonis, Theofilos Petsios, Angelos D Keromytis, Michalis Polychronakis, and Vasileios P Kemerlis. 2017. kR^ X: Comprehensive kernel protection against just-in-time code reuse. In EuroSys .

[71]

Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security.

[72]

Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, et almbox. 2017. Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In NDSS .

[73]

Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C

[74]

Applications. In IEEE S&P .

[75]

Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. ZombieLoad: Cross-privilege-boundary data sampling. In CCS .

[76]

Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat (2015).

[77]

Fermin J Serna. 2012. The info leak era on software exploitation. Black Hat USA (2012).

[78]

Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In CCS .

[79]

Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the effectiveness of address-space randomization. In CCS .

[80]

Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE S&P .

[81]

Kevin Z Snow, Roman Rogowski, Jan Werner, Hyungjoon Koo, Fabian Monrose, and Michalis Polychronakis. 2016. Return to the zombie gadgets: Undermining destructive code reads via code inference attacks. In IEEE S&P .

[82]

Wei Song and Peng Liu. 2019. Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks against the LLC. In RAID .

[83]

Dean Sullivan, Orlando Arias, Travis Meade, and Yier Jin. 2018. Microarchitectural Minefields: 4K-Aliasing Covert Channel and Multi-Tenant Detection in IaaS Clouds. In CCS .

[84]

Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2015. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In CCS .

Digital Library

[85]

Andrei Tatar, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018a. Defeating Software Mitigations against Rowhammer: A Surgical Precision Hammer. In RAID.

[86]

Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018b. Throwhammer: Rowhammer Attacks over the Network and Defenses. In USENIX ATC.

Digital Library

[87]

Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning. 2011. On the Expressiveness of Return-into-libc Attacks. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection (RAID).

Digital Library

[88]

Paul Turner. 2018. Retpoline: a software construct for preventing branch-target-injection. https://support.google.com/faqs/answer/7625886

[89]

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. [n.d.]. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In SEC'18 .

[90]

Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yarom Yuval, Berk Sunar, Daniel Gruss, and Frank Piessens. 2020. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In S&P'20 .

[91]

Victor van der Veen, Dennis Andriesse, Manolis Stamatogiannakis, Xi Chen, Herbert Bos, and Cristiano Giuffrida. 2017. The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later. In CCS.

[92]

Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In CCS.

Digital Library

[93]

Stephan van Schaik, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think. In USENIX Security.

[94]

Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. RIDL: Rogue In-flight Data Load. In S&P.

[95]

Pepe Vila, Boris Kö pf, and José Francisco Morales. 2019. Theory and Practice of Finding Eviction Sets. In IEEE S&P .

[96]

Jan Werner, George Baltas, Rob Dallara, Nathan Otterness, Kevin Z Snow, Fabian Monrose, and Michalis Polychronakis. 2016. No-execute-after-read: Preventing code disclosure in commodity software. In ASIACCS .

Digital Library

[97]

David Williams-King, Graham Gobieski, Kent Williams-King, James P Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and deployable continuous code re-randomization. In OSDI .

[98]

Yuval Yarom and Katrina Falkner. 2014. FLUSH

[99]

RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security .

Cited By

Chakraborty AMishra NMukhopadhyay DBalzarotti DXu W(2024)SheshaProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698934(595-612)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698934
Christou NGaidis AAtlidakis VKemerlis VLuo BLiao XXu JKirda ELie D(2024)Eclipse: Preventing Speculative Memory-error Abuse with Artificial Data DependenciesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690201(3913-3927)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690201
Jang HKim TShin YLuo BLiao XXu JKirda ELie D(2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690189
Show More Cited By

Index Terms

Speculative Probing: Hacking Blind in the Spectre Era
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the ...
Restricting Control Flow During Speculative Execution
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Speculative execution is one of the key techniques that modern processors use to boost performance. However, recent research shows that speculative execution can be used to steal sensitive data. We present a software-based solution to mitigate Spectre ...
SnakeGX: A Sneaky Attack Against SGX Enclaves
Applied Cryptography and Network Security
Abstract
Intel Software Guard eXtension (SGX) is a technology to create enclaves (i.e., trusted memory regions) hardware isolated from a compromised operating system. Recently, researchers showed that unprivileged adversaries can mount code-reuse attacks ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

October 2020

2180 pages

ISBN:9781450370899

DOI:10.1145/3372297

General Chairs:
Jay Ligatti
University of South Florida, USA
,
Xinming Ou
University of South Florida, USA
,
Program Chairs:
Jonathan Katz
University of Maryland, USA
,
Giovanni Vigna
University of California-Santa Barbara, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 9 - 13, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
2,969
Total Downloads

Downloads (Last 12 months)634
Downloads (Last 6 weeks)57

Reflects downloads up to 16 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chakraborty AMishra NMukhopadhyay DBalzarotti DXu W(2024)SheshaProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698934(595-612)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698934
Christou NGaidis AAtlidakis VKemerlis VLuo BLiao XXu JKirda ELie D(2024)Eclipse: Preventing Speculative Memory-error Abuse with Artificial Data DependenciesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690201(3913-3927)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690201
Jang HKim TShin YLuo BLiao XXu JKirda ELie D(2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690189
Davoli DAvanzini MRezk TLuo BLiao XXu JKirda ELie D(2024)On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670332(1091-1105)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670332
Gorter FKroes TBos HGiuffrida C(2024)Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00263(4239-4257)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00263
Hertogh MWiebing SGiuffrida C(2024)Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00158(3773-3788)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00158
Kim TRudo DZhao KZhao ZSkarlatos D(2024)Perspective: A Principled Framework for Pliable and Secure Speculation in Operating Systems2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00059(739-755)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00059
Wikner JTrujillo DRazavi K(2023)Phantom: Exploiting Decoder-detectable MispredictionsProceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3613424.3614275(49-61)Online publication date: 28-Oct-2023
https://dl.acm.org/doi/10.1145/3613424.3614275
Hertogh MWiesinger MÖsterlund SMuench MAmit NBos HGiuffrida C(2023)Quarantine: Mitigating Transient Execution Attacks with Physical Domain IsolationProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607248(207-221)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607248
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents