Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

New Software Side-Channel Attack Raises Risk for Captured Crypto

The new attack hits operating systems, not chips, and may give criminals the keys to a company's cryptography.

A new side-channel attack that bypasses specific chips for a hardware-agnostic, operating system-based approach, has been published by a team of researchers. The attack — with a serious security punch but no sexy name — takes advantage of a fundamental feature of modern operating systems to gain access to data that programmers and users assume will be hidden.

The attack, published in a paper titled "Page Cache Attacks," is effective against Windows and Linux — and possibly other operating systems. Furthermore, it doesn't rely on obscure or malformed instructions to the hardware: It is based on simple system calls available to relatively low authority user accounts through the operating system.

One of the researchers who found the new vulnerability is Alex Ionescu, vice president of ADR strategy at CrowdStrike. He explains the ingredients required for a successful attack on a cache: "If you have the ability to a) force things into the cache and then, b) measure or check that they're in the cache, and then c) potentially force evict them out of the cache, then you have something interesting." The group of academic and industry researchers who found the new vulnerability realized that caches don't just live in hardware; as Ionescu says, "Caches are everywhere in life."

The power of this new vulnerability is that it can examine and then exfiltrate data across an entire page of the cache, and data that is there for a number of milliseconds. Since the attacking data-check itself takes only milliseconds, there's enough time to do things like read a number of keystrokes or the clear-text response to a query involving cryptographic keys.

After looking at the potential impact of the vulnerability, Craig Young, computer security researcher for Tripwire's VERT (Vulnerability and Exposure Research Team), wrote in an email to Dark Reading, "The team has demonstrated how a fundamental concept in modern OS architecture can be abused to create covert data channels between isolated processes, log keystroke timings, spy on random number generators, and generally leak information from other processes as an unprivileged user."

Noting that the vulnerability is based on a legitimate system call in the affected operating systems, Young wrote, "This problem stems from overly permissive operating system designs giving unprivileged processes too much access to certain cache-related system calls."

That basis in system calls means that the vulnerability could be used by a different class of criminal than those that could potentially use something like Meltdown or Spectre. "The others required a lot of sophistication and knowledge and were not for the faint of heart," Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, says. "This one is simpler and not hardware dependent, so it could be used by a lot of day-to-day criminals. This one doesn't need a state actor; this one can be pulled off by regular criminals."

The ease of using the attack and the data it provides is increased by application developers who take shortcuts. The paper notes examples of PHP frameworks that use the PHP function "microtime" as the pseudo-random seed for their cryptographic operations. Since the attack can capture the microtime return and the call to the cryptographic generator, an attacker could learn the basis for the encryption, making decryption much easier.

Ionescu says that mitigation is possible, but it requires both operating system vendors and application developers to look at their code, acknowledge that a vulnerability exists, and patch for it. And Hahad notes that these patches are both good news and bad news for the enterprise.

"Given how people patch their OSes, it will be a long time before the patches are all applied," he says. "On the other hand, there's not much an administrator can do aside from the patch. It's not like there's something I can do proactively to prevent someone from exploiting it. You just have to wait for the patch to come out and apply it as quickly as possible."

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...