Article

Practical Memory Deduplication Attacks in Sandboxed Javascript

Authors:

Stefan MangardAuthors Info & Claims

Computer Security -- ESORICS 2015: 20th European Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015, Proceedings, Part I

Pages 108 - 122

https://doi.org/10.1007/978-3-319-24174-6_6

Published: 21 September 2015 Publication History

Abstract

Page deduplication is a mechanism to reduce the memory footprint of a system. Identical physical pages are identified across borders of virtual machines and programs and merged by the operating system or the hypervisor. However, this enables side-channel information leakage through cache or memory access time. Therefore, it is considered harmful in public clouds today, but it is still considered safe to use in a private environment, i.e., private clouds, personal computers, and smartphones.

We present the first memory-disclosure attack in sandboxed Javascript which exploits page deduplication. Unlike previous attacks, our attack does not require the victim to execute an adversary’s program, but simply to open a website which contains the adversary’s Javascript code. We are not only able to determine which applications are running, but also specific user activities, for instance, whether the user has specific websites currently opened. The attack works on servers, personal computers and smartphones, and across the borders of virtual machines.

References

[1]

Alexa Internet Inc: The top 500 sites on the web, March 2015. http://www.alexa.com/topsites

[2]

Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Williamson, C.L., Zurko, M.E., Patel-Schneider, P.F., Shenoy, P.J. (eds.) Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada, May 8–12, 2007. pp. 621–628. ACM (2007). http://doi.acm.org/10.1145/1242572.1242656

[3]

Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Gritzalis, D., Jajodia, S., Samarati, P. (eds.) CCS 2000, Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece, November 1–4, 2000, pp. 25–32. ACM (2000). http://doi.acm.org/10.1145/352600.352606

[4]

Google Inc.: Android 4.4 platform optimizations. https://source.android.com/devices/tech/low-ram.html (Feb 2015)

[5]

Gullasch, D., Bangerter, E., Krenn, S.: Cache Games - Bringing Access-Based Cache Attacks on AES to Practice. In: IEEE Symposium on Security and Privacy - S&P, pp. 490–505. IEEE Computer Society (2011). https://doi.org/10.1109/SP.2011.22

[6]

International Data Corporation: Android and iOS Squeeze the Competition, February 2015. http://www.idc.com/getdoc.jsp?containerId=prUS25450615

[7]

Irazoqui, G., Eisenbarth, T., Sunar, B.: Jackpot - Stealing Information From Large Caches via Huge Pages. IACR Cryptology, p. 970, ePrint Archive 2014 (2014). http://eprint.iacr.org/2014/970

[8]

Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Fine grain Cross-VM Attacks on Xen and VMware are possible! IACR Cryptology, p. 248, ePrint Archive 2014 (2014). http://eprint.iacr.org/2014/248

[9]

Irazoqui G, Inci MS, Eisenbarth T, and Sunar B Stavrou A, Bos H, and Portokalidis G Wait a minute! a fast, cross-VM attack on AES Research in Attacks, Intrusions and Defenses 2014 Heidelberg Springer 299-319

[10]

Karagounis, B., Sinofsky, S.: Reducing runtime memory in Windows 8, October 2011. http://blogs.msdn.com/b/b8/archive/2011/10/07/reducing-runtime-memory-in-windows-8.aspx

[11]

Net Applications.com: Desktop Operating System Market Share, February 2015. http://www.netmarketshare.com/operating-system-market-share.aspx

[12]

Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The Spy in the Sandbox - Practical Cache Attacks in Javascript. ArXiv e-prints, February 2015

[13]

Osvik DA, Shamir A, and Tromer E Pointcheval D Cache attacks and countermeasures: the case of AES Topics in Cryptology – CT-RSA 2006 2006 Heidelberg Springer 1-20

[14]

Owens, R., Wang, W.: Non-Interactive OS Fingerprinting Through Memory De-Duplication Technique in Virtual Machines. In: International Performance Computing and Communications Conference - IPCCC, pp. 1–8. IEEE (2011). https://doi.org/10.1109/PCCC.2011.6108094

[15]

Stone, P.: Pixel Perfect Timing Attacks with HTML5. Technical report, Context Information Security, June 2013. http://www.contextis.com/files/Browser_Timing_Attacks.pdf

[16]

Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory Deduplication as a Threat to the Guest OS. In: European Workshop on System Security - EUROSEC, pp. 1–6. ACM (2011). http://doi.acm.org/10.1145/1972551.1972552

[17]

Warner A, Li Q, Keefe TF, and Pal SMartella G, Kurth H, Montolivo E, and Bertino ElisaThe impact of multilevel security on database buffer managementComputer Security - ESORICS 19961996HeidelbergSpringerhttp://dx.doi.org/10.1007/978-3-319-11379-1_15

[18]

Xiao, J., Xu, Z., Huang, H., Wang, H.: A covert channel construction in a virtualized environment. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, October 16–18, 2012, pp. 1040–1042. ACM (2012). http://doi.acm.org/10.1145/2382196.2382318

[19]

Xiao, J., Xu, Z., Huang, H., Wang, H.: Security implications of memory deduplication in a virtualized environment. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Budapest, Hungary, June 24–27, 2013, pp. 1–12. IEEE (2013). http://doi.ieeecomputersociety.org/10.1109/DSN.2013.6575349

[20]

Yarom, Y., Falkner, K.: FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In: USENIX Security Symposium, pp. 719–732. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom

Cited By

Ferguson EWilson ANaghibijouybari HQuek TGao DZhou JCardenas A(2024)WebGPU-SPY: Finding Fingerprints in the Sandbox through GPU Cache AttacksProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637648(158-171)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637648
Snyder PKarami SEdelstein ALivshits BHaddadi HCalandrino JTroncoso C(2023)Pool-partyProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620634(7091-7105)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620634
Liu SKanniwadi SSchwarzl MKogler AGruss DKhan SCalandrino JTroncoso C(2023)Side-channel attacks on optane persistent memoryProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620618(6807-6824)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620618
Show More Cited By

Index Terms

Practical Memory Deduplication Attacks in Sandboxed Javascript

Index terms have been assigned to the content through auto-classification.

Recommendations

Exploiting Memory Page Management in KSM for Remote Memory Deduplication Attack
Information Security Applications
Abstract
In virtualized environments, modern operating systems take advantage of memory deduplication feature to efficiently manage physical memory. However, the adoption of this technique has given rise to memory deduplication attacks that disclose memory ...
A memory-deduplication side-channel attack to detect applications in co-resident virtual machines
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

Virtualization offers the possibility of hosting services of multiple customers on shared hardware. When more than one Virtual Machine (VM) run on the same host, memory deduplication can save physical memory by merging identical pages of the VMs. ...
Towards Efficient Hugepage-aware Memory Deduplication
WORDS '23: Proceedings of the 4th Workshop on Resource Disaggregation and Serverless

Memory deduplication techniques aim to reduce memory consumption by sharing redundant memory pages. Additionally, hugepages are commonly employed to optimize performance by minimizing TLB misses. However, the simultaneous use of memory deduplication and ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Computer Security -- ESORICS 2015: 20th European Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015, Proceedings, Part I

Sep 2015

533 pages

ISBN:978-3-319-24173-9

DOI:10.1007/978-3-319-24174-6

Editors:
Günther Pernul
https://ror.org/01eezs655University of Regensburg, Regensburg, Germany
,
Peter Y A Ryan
https://ror.org/036x5ad56University of Luxembourg, Luxembourg, Luxembourg
,
Edgar Weippl
https://ror.org/05nny6x17SBA Research, Wien, Austria

© Springer International Publishing Switzerland 2015.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 21 September 2015

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ferguson EWilson ANaghibijouybari HQuek TGao DZhou JCardenas A(2024)WebGPU-SPY: Finding Fingerprints in the Sandbox through GPU Cache AttacksProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637648(158-171)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637648
Snyder PKarami SEdelstein ALivshits BHaddadi HCalandrino JTroncoso C(2023)Pool-partyProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620634(7091-7105)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620634
Liu SKanniwadi SSchwarzl MKogler AGruss DKhan SCalandrino JTroncoso C(2023)Side-channel attacks on optane persistent memoryProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620618(6807-6824)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620618
Bae SKim TLee WShin Y(2023)Exploiting Memory Page Management in KSM for Remote Memory Deduplication AttackInformation Security Applications10.1007/978-981-99-8024-6_19(244-256)Online publication date: 23-Aug-2023
https://dl.acm.org/doi/10.1007/978-981-99-8024-6_19
Cronin PGao XWang HCotton C(2021)An Exploration of ARM System-Level Cache and GPU Side ChannelsProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485902(784-795)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485902
Polychronou NThevenon PPuys MBeroulle V(2021)A Comprehensive Survey of Attacks without Physical Access Targeting Hardware Vulnerabilities in IoT/IIoT Devices, and Their Detection MechanismsACM Transactions on Design Automation of Electronic Systems10.1145/347193627:1(1-35)Online publication date: 13-Sep-2021
https://dl.acm.org/doi/10.1145/3471936
Diamantaris MMarcantoni FIoannidis SPolakis J(2020)The Seven Deadly Sins of the HTML5 WebAPIACM Transactions on Privacy and Security10.1145/340394723:4(1-31)Online publication date: 6-Jul-2020
https://dl.acm.org/doi/10.1145/3403947
Tsai PSanchez AFletcher CSanchez DLarus JCeze LStrauss K(2020)Safecracker: Leaking Secrets through Compressed CachesProceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3373376.3378453(1125-1140)Online publication date: 9-Mar-2020
https://dl.acm.org/doi/10.1145/3373376.3378453
Kumar T SMishra DPanda BDeshmukh N(2019)CoWLightProceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3337167.3337170(1-8)Online publication date: 23-Jun-2019
https://dl.acm.org/doi/10.1145/3337167.3337170
Gulmezoglu BZankl ATol MIslam SEisenbarth TSunar BGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)Undermining User Privacy on Mobile Devices Using AIProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329804(214-227)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329804
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten