CAIN: Silently Breaking ASLR in the Cloud

نویسندگان

  • Antonio Barresi
  • Kaveh Razavi
  • Mathias Payer
  • Thomas R. Gross
چکیده

Modern systems rely on Address-Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to protect software against memory corruption vulnerabilities. The security of ASLR depends on randomizing regions in memory which can be broken by leaking addresses. While information leaks are common for client applications, server software has been hardened to reduce such information leaks. Memory deduplication is a common feature of Virtual Machine Monitors (VMMs) that reduces the memory footprint and increases the cost-effectiveness of virtual machines (VMs) running on the same host. Memory pages with the same content are merged into one read-only memory page. Writing to these pages is expensive due to page faults caused by the memory protection, and this cost can be used by an attacker as a side-channel to detect whether a page has been shared. Leveraging this memory side-channel, we craft an attack that leaks the addressspace layouts of the neighboring VMs, and hence, defeats ASLR. Our proof-of-concept exploit, CAIN (Cross-VM ASL INtrospection) defeats ASLR of a 64-bit Windows Server 2012 victim VM in less than 5 hours (for 64-bit Linux victims the attack takes several days). Further, we show that CAIN reliably defeats ASLR, regardless of the number of victim VMs or the system load.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication

Memory deduplication merges same-content memory pages and reduces the consumption of physical memory. It is a desirable feature for virtual machines on IaaS (Infrastructure as a Service) type cloud computing, because IaaS hosts many guest OSes which are expected to include many identical memory pages. However, some security capabilities of the guest OS modify memory contents for each execution ...

متن کامل

SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs

Traditional execution environments deploy Address Space Layout Randomization (ASLR) to defend against memory corruption attacks. However, Intel Software Guard Extension (SGX), a new trusted execution environment designed to serve security-critical applications on the cloud, lacks such an effective, well-studied feature. In fact, we find that applying ASLR to SGX programs raises non-trivial issu...

متن کامل

On the Effectiveness of Full-ASLR on 64-bit Linux

Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the s...

متن کامل

Reliability and validity of the active straight leg raise test in posterior pelvic pain since pregnancy.

STUDY DESIGN A cross-sectional analysis was performed in a group of women meeting strict criteria for posterior pelvic pain since pregnancy (PPPP). The scores on the Active Straight Leg Raise Test (ASLR test) were compared with the scores of healthy controls. OBJECTIVES To develop a new diagnostic instrument for use in patients with PPPP. The objectives of the present study were to assess the...

متن کامل

Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems

Address Space Layout Randomization is a very effective mitigation technique. The first implementation was done by the PaX team in 2001, and since then it has been the most advanced and secure. We have analyzed the PaX an Linux implementations, and found several weaknesses. We have carried out a deep review and analysis of all constraints that determine ASLR operation. Based on these results we ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2015