A group of security researchers, several of which participated in the detection of the first Meltdown and Specter vulnerabilities, developed a new type of attack on third-party channels.
This attack performed based on page cache content analysis, which contains information obtained as a result of operating system access to disks, SSDs, and other locking devices.
Unlike Specter attacks, the new vulnerability is not caused by hardware problems, but only concerns software implementations of the page cache and manifests in Linux (CVE-2019-5489), Windows and probably many other operating systems.
By manipulating the mincore (Linux) and QueryWorkingSetEx (Windows) system calls to determine the presence of a memory page in the system page cache, an unprivileged local attacker can trace some memory accesses of other processes.
The attack allows you to track access at the block level 4 kilobytes with a time resolution of 2 microseconds on Linux (6.7 measurements per second) and 446 nanoseconds on Windows (223 measurements per second).
Page cache accumulates quite diverse data, including executable file extracts, shared libraries, data loaded to disk, mirrored files in memory and other information that is generally stored on disk and used by the operating system and applications.
What is this attack about?
El ataque is based on the fact that all processes use a common system page cache and the presence or absence of information in this cache can be determined by changing the delay in reading data disk or referring to the system calls mentioned above.
Cached pages can be mirrored in an area of virtual memory used by multiple processes (for example, only one copy of a shared library can be present in physical memory, which is reflected in virtual memory of different applications).
In the process of scrolling the information from the page cache and populating it when loading typical data from a disk, you can analyze the status of similar pages in the virtual memory of other applications.
The mincore and QueryWorkingSetEx system calls greatly simplify an attack by allowing you to immediately determine which memory pages from a given address range are present in the page cache.
Since the size of the monitored block (4Kb) is too large to determine the content per iteration, the attack can only be used for covert data transmission.
Reducing the strength of cryptographic operations by tracking algorithm behavior, evaluating typical memory access patterns of known processes, or monitoring the progress of another process.
The layout of the data in memory by which the attacker is known (For example, if the basic contents of the buffer are initially known when the authentication dialog box exits, you can determine Arola based on the extortion symbol during your user intervention.
Is there a solution against this?
Yes, if there is already a solution from Linux This type of research helps to detect problems before others with harmful intentions take advantage of them.
For the Linux kernel, the solution is already available as a patch, which is already available described and documented here.
In the case of Windows 10, the problem was fixed in a test build (Insider Preview Build) 18305.
The practical applications of the attack on the local system demonstrated by the researchers include the creation of a data transmission channel from isolated isolated environments, the recreation of on-screen interface elements (for example, authentication dialogs), the definition of keystrokes and recovery of automatically generated temporary passwords).