Dedupe, dedupe, dedupe dedupe dedupe... Who snuck in to attack Microsoft Edge?
DRAM, dude! Rowhammer brings down secure browser
Security researchers have discovered a means to use previously unknown vulnerabilities found in in-memory deduplication to attack otherwise well-defended systems.
The well-known standard compression technique, which is ubiquitous as a way of reducing the memory footprint across virtual machines, is also a by-default feature inside the Windows 8.1 and Windows 10 operating systems.
Although it is is very useful for freeing memory, its downside is that attackers might be able to "guess" security-sensitive information.
"Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics," explain the researchers. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page.
Security papers have previously shown how an attacker might be able to craft pages on target system to exploit this timing difference in order to discover that certain pages exist in the system.
Now a team of boffins from Vrije Universiteit, Amsterdam, have taken this research further to show that such deduplication side channel attacks can be harnessed to make browser-based attacks possible.
In a paper, Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector (PDF), the researchers show how it might be possible for attackers to combine “deduplication-based primitives with a reliable Rowhammer exploit to gain arbitrary memory read and write access in the browser”.
Rowhammer involves rapidly writing and rewriting memory to force capacitor errors in DRAM that can then be exploited to gain control of the system. The hardware hack was brought to public attention by security researchers at Google Project Zero last year.
Kaveh Razavi, one of the Vrije Universiteit researchers, told El Reg: “The previously published Google exploit is very practical. What has not been shown to be practical so far is exploiting Rowhammer 'in the browser', which significantly increases its impact given that every internet user is now a potential target.”
“Deduplication is a system feature and Rowhammer is a hardware bug, and a combination of these two allows for a nasty attack that exploits a secure browser such as Microsoft Edge without relying on a software bug,” he added.
Similar attacks might be possible against cloud-based services, the researchers discovered. The Dutch team has put together a series of recommendations to defend against possible memory deduplication-based attacks, as detailed in its paper. Workarounds short of more comprehensive updates from Microsoft involve disabling memory deduplication.
“Our main recommendation at the moment is turning off memory deduplication whenever possible until Microsoft releases a patch that limits the ability of the attackers to gain insight into security-sensitive information like randomized pointers,” Razavi told El Reg.
“The problem is not in Microsoft Edge itself (since this is not a software bug). The attack is exploiting a system "feature" and a hardware bug to attack the browser without relying on any bugs in the browser itself,” he added.
Microsoft Edge has been redesigned from scratch with security in mind but the attack developed by the Vrije Universiteit researchers means that despite this, it's still possible to gain control of the browser without assuming a single bug in the browser software. “What we are showing here is that this is not enough: the rest of the system (in this case the deduplication system) can still leak enough information to make it possible to exploit prevalent hardware issues such as Rowhammer in a browser such as Edge with lots of security defences,” Razavi concluded.
The Vrije Universiteit group’s research efforts in the area remain ongoing. Early findings from the Dutch team’s research were presented at this week's IEEE Symposium on Security and Privacy conference in San Jose, California. ®