Researchers from the Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel - Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh disclosed a new type of side-channel attack that targets operating system page cache. The researchers reported that the page cache attacks are hardware agnostic and target both Windows and Linux operating systems.
“The reason why some people are more afraid of page cache attacks than other cache attacks is that they are entirely hardware agnostic. This is much more interesting for attackers: write code once, run it on all the different machines, easy to integrate in malware, Daniel Gruss tweeted.
Michael Schwarz told Security Week that they have not tested the attack against Apple’s MacOS systems.
Page Cache Attacks
The researchers explained how these page caches can be exploited for both local and remote attacks. They explained that a malware running on the target system can be used by the attackers to leverage the page cache for various malicious activities by bypassing security sandboxes, running a timed UI redressing, and reconstruct temporary passwords generated automatically.
“We present a set of local attacks that work entirely without any timers, utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on Windows) to elicit page cache information,” the researchers wrote in their paper named Page Cache Attacks.
“We also show that page cache metadata can leak to a remote attacker over a network channel, producing a stealthy covert channel between a malicious local sender process and an external attacker,” the researchers wrote.
The researchers stated that the page cache attacks did not impact much when compared to the Meltdown and Spectre attacks. They have reported the findings on the new side-channel attacks to Windows and Linux developers. The developers have already started working on the recovery response process.
According to researcher Daniel Gruss, the vulnerability was addressed in Windows 10 Insider Preview Build 18305, although he's not sure when the patch will appear in a formal public release.