The new attack hits operating systems, not chips, and can provide criminals with the keys to the cryptography of a company.
A team of researchers has published a new side-channel attack that bypasses specific chips for a hardware-based, operating system-based approach. The attack— with a serious security but no sexy name— uses a fundamental feature of modern operating systems to gain access to data that programmers and users assume is hidden.
The attack, published in a paper entitled “Page Cache Attacks, ” is effective against Windows and Linux — and other operating systems possibly. In addition, it does not rely on obscure or malformed hardware instructions: it is based on simple system calls made available to relatively low-level user accounts via the operating systems.
Alex Ionescu, vice president of the ADR strategy at CrowdStrike, was one of the researchers who found the new vulnerability. He explains the ingredients necessary for a successful attack on a cache: “If you have the ability to
(a) Force things into the cache and then
(b) Measure or check that they are in the cache and then
(c) Potentially force them out of the cache, and then you have something interesting.”
Since the attacking data check itself takes only milliseconds, there is sufficient time to do things like reading a number of keystrokes or answering a query with cryptographic keys in plain text. After examining the potential impact of the vulnerability, Craig Young, computer security researcher for Tripwire ‘s VERT (Vulnerability and Exposure Research Team), wrote to Dark Reading in an email: ” The team has shown how a basic concept in modern OS architecture can be misused to create covert data channels between isolated processes, log keystroke timings, spy on random numbers.
“The others required a great deal of sophistication and knowledge and were not for the weak of the heart, “says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. ” This one is simpler and not hardware dependent, so many day-to-day criminals could use it. This one does not need a state actor; this one can be removed by regular criminals. “The ease of use and data provided by the attack is increased by application developers who take shortcuts.
The paper notes PHP frameworks using the PHP ” microtime ” function as the pseudo-random seed for their cryptographic operations. Since the attack can capture the micro-time return and the cryptographic generator call, an attacker can learn the basis for encryption and make decryption much easier. Reversing Labs Corp Ionescu tells you that mitigation is possible, but requires both operating system vendors and application developers to look at their code, recognize that there is a vulnerability and And Hahad points out that these patches are good and bad news for the company.
“It will be a long time before the patches are all applied because of how people patch their OSes,” he says. ” Apart from the patch, there is not much an administrator can do. It is not like there is something I can do to prevent someone from taking advantage of it. You just have to wait until the patch is released and applied as soon as possible.”
