Circumventing Memory Corruption Mitigations in the Spectre Era: Real-World Attacks and Systematic Analysis of Defenses

Na, Weon Taek

Author(s)

Na, Weon Taek

DownloadThesis PDF (1.862Mb)

Advisor

Emer, Joel S.

Yan, Mengjia

Terms of use

In Copyright - Educational Use Permitted Copyright retained by author(s) https://rightsstatements.org/page/InC-EDU/1.0/

Metadata

Show full item record

Abstract

Modern systems are becoming increasingly complex, exposing a large attack surface with vulnerabilities in both software and hardware. In the software layer, memory corruption vulnerabilities can be exploited by attackers to alter the behavior or take full control of a victim program. In the hardware layer, microarchitectural side channel vulnerabilities can be exploited to leak arbitrary data within the victim program’s address space. Today, it is common for security researchers to explore software and hardware vulnerabilities separately, considering the two vulnerabilities in two disjoint threat models. This thesis studies the synergies that arise at the convergence of the two threat models. In particular, this thesis first presents PACMAN, a novel attack methodology that leverages speculative execution attacks to circumvent ARM Pointer Authentication, a critical memory safety feature in many state-of-the-art ARM processors. The key insight of the PACMAN attack is that PAC verification results can be leaked via microarchitectural side channels while suppressing crashes. The PACMAN attack removes the primary barrier to conducting control-flow hijacking attacks on a platform protected by ARM Pointer Authentication. Moreover, we show that the PACMAN attack works across privilege levels, meaning that we can attack the operating system kernel as an unprivileged user in userspace. Alas, the discovery of the PACMAN attack calls for a drastic re-evaluation of all memory corruption mitigations under a synergistic threat model; a threat model that encompasses both the memory corruption threat model and the side channel threat model. Driven by this need, the thesis next presents Penetrating Shields, a systematic analysis of memory corruption mitigations from both academia and industry. We start by systematizing a taxonomy of the state-of-the-art memory corruption mitigations focusing on hardware-software co-design defenses. This taxonomy helps us to identify 10 likely vulnerable defense schemes out of 20 schemes that we analyze. Next, we develop a graph-based model to analyze the 10 likely vulnerable defenses and reason about possible countermeasures. Finally, we present three proof-of-concept attacks targeting an already-deployed mitigation mechanism and two state-of-the-art academic proposals.

Date issued

2023-06

URI

https://hdl.handle.net/1721.1/151572

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Collections

Graduate Theses