Practical Timing Side-Channel Attacks on Memory Compression

Schwarzl, Martin and Borrello, Pietro and Saileshwar, Gururaj and Müller, Hanna and Schwarz, Michael and Gruss, Daniel
(2023) Practical Timing Side-Channel Attacks on Memory Compression.
In: IEEE Symposium on Security and Privacy.
Conference: SP IEEE Symposium on Security and Privacy

[img] Text
compression_sc_sp23.pdf - Published Version
Download (430kB)

Abstract

Compression algorithms have side channels due to their data-dependent operations. So far only the compression-ratio side channel was exploited, e.g., the compressed data size. In this paper, we present Decomp+Time, the first memory compression attack exploiting a timing side channel in compression algorithms. While Decomp+Time affects a much broader set of applications than prior work, a key challenge is precisely crafting attacker-controlled compression payloads to enable the attack with sufficient resolution. We develop an evolutionary fuzzer, Comprezzor, to find effective Decomp+Time payloads that optimize latency differences and find payloads that are so effective that decompression timing can even be exploited in remote Decomp+Time attacks across the Internet. Decomp+Time has a capacity of 9.73 kB/s locally, and 10.72 bit/min across the internet (14 hops, > 700 miles). Using Comprezzor, we develop attacks that leak data byte-by-byte in four different case studies: First, we leak 1.50 bit/min from Memcached on a remote server running a PHP application. Second, we leak database records with 2.69 bit/min from PostgreSQL, managed by a Python-Flask application, over the internet. Third, we leak secrets with 49.14 bit/min locally from ZRAM-compressed pages on Linux. Fourth, we leak internal heap pointers from the V8 engine within the Google Chrome browser on a system using ZRAM. This highlights the importance of re-evaluating the use of compression on sensitive data even if the application is only reachable via a remote interface.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Schwarz (MS)
Conference: SP IEEE Symposium on Security and Privacy
Depositing User: Michael Schwarz
Date Deposited: 30 Nov 2022 09:58
Last Modified: 30 Nov 2022 09:58
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/3886

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.