33c3 Talks – What could possibly go wrong with “insert x86 instruction here” ?

This was one of the few technical talks at 33c3 I managed to see, by that I mean live-stream during an access control shift, by Clémentine Maurice and Moritz Lipp.

The talk gave an overview of some already known possible information leaks by abusing certain x86 instructions(the same concept applies to ARM too though) and demonstrating the various ways an attacker could use them. They started off by quickly explaining how the caches on modern CPUs are set up and how they work and how you can exploit the timing differences in memory accesses to leak data without actually knowing the content of the cache. This data leak can then be used to establish a covert channel.

One possible attack using a covert channel is, bypassing the app permission model in modern smartphones using two seemingly benign(in terms of their permissions) but malicious apps. For example the first app is allowed to access potentially sensitive data (like pictures) but lacks any other permissions that could allow it to exfiltrate that data (like Wifi or mobile connectivity). The second app in turn only has the capability to access the internet, but is forbidden to access any sensitive data on the device. If those two apps now establish a covert channel using cache attacks they can transfer data from the app that can access the sensitive data to the app that is able to exfiltrate the data, thus bypassing the permission model. Another practical attack they touched on was using a cache attack across VMs using a technique that does not rely on shared memory, which is another huge issue in cloud environments and is mostly disabled, with error detection and correction to establish a working SSH connection between 2 VMs on Amazon EC2 that lacked any network connection between them. The details on how this was implemented are found in the paper “Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud”.

The other application of cache attacks they showed was leaking the AES key by exploiting the T-Tables implementation which has the flaw that with a known plaintext you just need the table indices accessed in the first AES round to recover the key which is exactly what cache attacks make possible. In theory this attack is from 2006 and should be fixed 10 years later, the reality is that the e.g Bouncy Castle on Android still defaults to this AES implementation.

The third application they demoed was the ability to spy on keystrokes on smartphones without needing any permissions.

The highlight of their talk was the new cache attack called Flush+Flush that relies solely on the clflush instructions and the timing leakage in it. The attack does not require to access the main memory and thus is more stealthy than other attacks while allowing the same attacks as previously shown.

All in all it was a nice introduction into cache attacks and I’d recommend it to anyone interested in getting started with this topic.