https://arxiv.org/abs/2208.02093

close this message

Accessible arXiv

Do you navigate arXiv using a screen reader or other assistive
technology? Are you a professor who helps students do so? We want to
hear from you. Please consider signing up to share your insights as
we work to make arXiv even more open.

Share Insights
Skip to main content
Cornell University
We gratefully acknowledge support from
the Simons Foundation and member institutions.
 
arxiv logo > cs > arXiv:2208.02093
[                    ]

Help | Advanced Search

[All fields        ]
Search
arXiv logo
Cornell University Logo
[                    ] GO
quick links

  * Login
  * Help Pages
  * About

Computer Science > Cryptography and Security

arXiv:2208.02093 (cs)
[Submitted on 3 Aug 2022]

Title:Layered Binary Templating: Efficient Detection of Compiler- and
Linker-introduced Leakage

Authors:Martin Schwarzl, Erik Kraft, Daniel Gruss
Download PDF

    Abstract: Cache template attacks demonstrated automated leakage
    of user input in shared libraries. However, for large binaries,
    the runtime is prohibitively high. Other automated approaches
    focused on cryptographic implementations and media software but
    are not directly applicable to user input. Hence, discovering and
    eliminating all user input side-channel leakage on a cache-line
    granularity within huge code bases are impractical.
    In this paper, we present a new generic cache template attack
    technique, LBTA, layered binary templating attacks. LBTA uses
    multiple coarser-grained side channel layers as an extension to
    cache-line granularity templating to speed up the runtime of
    cache templating attacks. We describe LBTA with a variable number
    of layers with concrete side channels of different granularity,
    ranging from 64 B to 2MB in practice and in theory beyond. In
    particular the software-level page cache side channel in
    combination with the hardware-level L3 cache side channel,
    already reduces the templating runtime by three orders of
    magnitude. We apply LBTAs to different software projects and
    thereby discover data deduplication and dead-stripping during
    compilation and linking as novel security issues. We show that
    these mechanisms introduce large spatial distances in binaries
    for data accessed during a keystroke, enabling reliable leakage
    of keystrokes. Using LBTA on Chromium-based applications, we can
    build a full unprivileged cache-based keylogger. Our findings
    show that all user input to Chromium-based apps is affected and
    we demonstrate this on a selection of popular apps including
    Signal, Threema, Discord, and password manager apps like passky.
    As this is not a flaw of individual apps but the framework, we
    conclude that all apps that use the framework will also be
    affected, i.e., hundreds of apps.

Subjects: Cryptography and Security (cs.CR)
Cite as:  arXiv:2208.02093 [cs.CR]
          (or arXiv:2208.02093v1 [cs.CR] for this version)
          https://doi.org/10.48550/arXiv.2208.02093
          Focus to learn more
          arXiv-issued DOI via DataCite

Submission history

From: Martin Schwarzl [view email]
[v1] Wed, 3 Aug 2022 14:22:55 UTC (857 KB)
Full-text links:

Download:

  * PDF
  * Other formats

[by-4]
Current browse context:
cs.CR
< prev   |   next >
new | recent | 2208
Change to browse by:
cs

References & Citations

  * NASA ADS
  * Google Scholar
  * Semantic Scholar

a export bibtex citation Loading...

Bibtex formatted citation

x
[loading...          ]
Data provided by:

Bookmark

BibSonomy logo Mendeley logo Reddit logo ScienceWISE logo
(*) Bibliographic Tools

Bibliographic and Citation Tools

[ ] Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
[ ] Litmaps Toggle
Litmaps (What is Litmaps?)
[ ] scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
( ) Code & Data

Code and Data Associated with this Article

[ ] arXiv Links to Code Toggle
arXiv Links to Code & Data (What is Links to Code & Data?)
( ) Demos

Demos

[ ] Replicate Toggle
Replicate (What is Replicate?)
( ) Related Papers

Recommenders and Search Tools

[ ] Connected Papers Toggle
Connected Papers (What is Connected Papers?)
[ ] Core recommender toggle
CORE Recommender (What is CORE?)
( ) About arXivLabs

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and
share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have
embraced and accepted our values of openness, community, excellence,
and user data privacy. arXiv is committed to these values and only
works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community?
Learn more about arXivLabs and how to get involved.

Which authors of this paper are endorsers? | Disable MathJax (What is
MathJax?)

  * About
  * Help

  * Click here to contact arXiv Contact
  * Click here to subscribe Subscribe

  * Copyright
  * Privacy Policy

  * Web Accessibility Assistance
  * arXiv Operational Status
    Get status notifications via email or slack