sponsors
help promote
usenix conference policies
CAIN: Silently Breaking ASLR in the Cloud
Antonio Barresi, ETH Zürich; Kaveh Razavi, VU University Amsterdam; Mathias Payer, Purdue University; Thomas R. Gross, ETH Zürich
Modern systems rely on Address-Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to protect software against memory corruption vulnerabilities. The security of ASLR depends on randomizing regions in memory which can be broken by leaking addresses. While information leaks are common for client applications, server software has been hardened to reduce such information leaks.
Memory deduplication is a common feature of Virtual Machine Monitors (VMMs) that reduces the memory footprint and increases the cost-effectiveness of virtual machines (VMs) running on the same host. Memory pages with the same content are merged into one read-only memory page. Writing to these pages is expensive due to page faults caused by the memory protection, and this cost can be used by an attacker as a side-channel to detect whether a page has been shared. Leveraging this memory side-channel, we craft an attack that leaks the address space layouts of the neighboring VMs, and hence, defeats ASLR. Our proof-of-concept exploit, CAIN (Cross-VM ASL INtrospection) defeats ASLR of a 64-bit Windows Server 2012 victim VM in less than 5 hours (for 64-bit Linux victims the attack takes several days). Further, we show that CAIN reliably defeats ASLR, regardless of the number of victim VMs or the system load.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Antonio Barresi and Kaveh Razavi and Mathias Payer and Thomas R. Gross},
title = {{CAIN}: Silently Breaking {ASLR} in the Cloud},
booktitle = {9th USENIX Workshop on Offensive Technologies (WOOT 15)},
year = {2015},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi},
publisher = {USENIX Association},
month = aug
}
connect with us