Skip to Main content Skip to Navigation
Conference papers

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

Abstract : Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level. We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform state-of-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97 %. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention , both in trusted execution environments as well as in syscalls, with a performance overhead below 1 %.
Document type :
Conference papers
Complete list of metadata

Cited literature [80 references]  Display  Hide  Download

https://hal.inria.fr/hal-01872558
Contributor : Clémentine Maurice <>
Submitted on : Wednesday, September 12, 2018 - 11:30:09 AM
Last modification on : Saturday, May 8, 2021 - 3:38:28 AM
Long-term archiving on: : Thursday, December 13, 2018 - 1:42:23 PM

File

double_fetch.pdf
Files produced by the author(s)

Identifiers

Citation

Michael Schwarz, Daniel Gruss, Moritz Lipp, Clémentine Maurice, Thomas Schuster, et al.. Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features. Asia Conference on Computer and Communications Security, AsiaCCS 2018, Jun 2018, Incheon, South Korea. ⟨10.1145/3196494.3196508⟩. ⟨hal-01872558⟩

Share

Metrics

Record views

443

Files downloads

311