Filters








1,201 Hits in 0.79 sec

Remote Memory-Deduplication Attacks [article]

Martin Schwarzl, Erik Kraft, Moritz Lipp, Daniel Gruss
2021 arXiv   pre-print
Memory utilization can be reduced by merging identical memory blocks into copy-on-write mappings. Previous work showed that this so-called memory deduplication can be exploited in local attacks to break ASLR, spy on other programs,and determine the presence of data, i.e., website images. All these attacks exploit memory deduplication across security domains, which in turn was disabled. However, within a security domain or on an isolated system with no untrusted local access, memory
more » ... is still not considered a security risk and was recently re-enabled on Windows by default. In this paper, we present the first fully remote memorydeduplication attacks. Unlike previous attacks, our attacks require no local code execution. Consequently, we can disclose memory contents from a remote server merely by sending and timing HTTP/1 and HTTP/2 network requests. We demonstrate our attacks on deduplication both on Windows and Linux and attack widely used server software such as Memcached and InnoDB. Our side channel leaks up to 34.41 B/h over the internet, making it faster than comparable remote memory-disclosure channels. We showcase our remote memory-deduplication attack in three case studies: First, we show that an attacker can disclose the presence of data in memory on a server running Memcached. We show that this information disclosure channel can also be used for fingerprinting and detect the correct libc version over the internet in 166.51 s. Second, in combination with InnoDB, we present an information disclosure attack to leak MariaDB database records. Third, we demonstrate a fully remote KASLR break in less than 4 minutes allowing to derandomize the kernel image of a virtual machine over the Internet, i.e., 14 network hops away. We conclude that memory deduplication must also be considered a security risk if only applied within a single security domain.
arXiv:2111.08553v1 fatcat:d3wtxwkb2zfpfdttr5yb7sevem

Meltdown [article]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg
2018 arXiv   pre-print
The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack works on
more » ... erent Intel microarchitectures since at least 2010 and potentially other processors are affected. The root cause of Meltdown is the hardware. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage.
arXiv:1801.01207v1 fatcat:tkvyrlyuwjhlpkqdfo4wqbo53y

NetSpectre: Read Arbitrary Memory over Network [article]

Michael Schwarz and Martin Schwarzl and Moritz Lipp and Daniel Gruss
2018 arXiv   pre-print
Lipp et al. [55] showed that a transmission from out-of-order execution with single-bit covert channel can be significantly faster than a byte-wise or multi-byte covert channel in a similar attack.  ... 
arXiv:1807.10535v1 fatcat:tnlf25rd65h5hcdtxxxzu5awsm

Armageddon: Cache Attacks On Mobile Devices

Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard
2016 Zenodo  
so-called Original publication in the Proceedings of the 25th Annual USENIX Security Symposium (USENIX Security 2016). https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/lipp  ... 
doi:10.5281/zenodo.59889 fatcat:hvoa4rfdxbfv3jmmhlxusaq5zu

Primary Mediastinal Germ Cell Tumors

Caroline E. Lippe, Troy Moritz
2020 Journal of Case Reports  
Primary malignant mediastinal germ cell tumors (PMMGCT) are exceedingly rare, accounting for 1-2% of germ cell tumors. The objective of this case report is to highlight the severity and unique characteristics of this tumor. Case Report: A young, active 33 year old male presented to a community emergency department with flu-like symptoms and hemoptysis continuously for one month. Workup noted a large anterior mediastinal mass with erosion into the sternum. Biopsy revealed a non-seminomatous germ
more » ... cell tumor, with primary malignant origin in the mediastinum. Chemotherapy was initiated, which the patient has tolerated well during his first few rounds of treatment. Conclusion: PMMGCTs are rare and aggressive tumors with variable response to chemotherapy. Extensive surgery has been offered for those with resistant factors, with more complications.
doi:10.17659/01.2020.0069 fatcat:jxnyrzwrxzdzlgpf3omkaniz74

ZombieLoad: Cross-Privilege-Boundary Data Sampling [article]

Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss
2019 arXiv   pre-print
In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user and kernel space, Meltdown inspired an entirely new class of fault-driven transient execution attacks. Particularly, over the past year, Meltdown-type attacks have been extended to not only leak data from the L1 cache but also from various other microarchitectural
more » ... ructures, including the FPU register file and store buffer. In this paper, we present the ZombieLoad attack which uncovers a novel Meltdown-type effect in the processor's previously unexplored fill-buffer logic. Our analysis shows that faulting load instructions (i.e., loads that have to be re-issued for either architectural or microarchitectural reasons) may transiently dereference unauthorized destinations previously brought into the fill buffer by the current or a sibling logical CPU. Hence, we report data leakage of recently loaded stale values across logical cores. We demonstrate ZombieLoad's effectiveness in a multitude of practical attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves. We discuss both short and long-term mitigation approaches and arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack on current processors.
arXiv:1905.05726v1 fatcat:qoku3ghy3na7fojht7ld5o5i6a

KeyDrown: Eliminating Keystroke Timing Side-Channel Attacks [article]

Michael Schwarz, Moritz Lipp, Daniel Gruss, Samuel Weiser, Clémentine Maurice, Raphael Spreitzer, Stefan Mangard
2017 arXiv   pre-print
Therefore, the third layer protects against attacks that are mounted against the Android keyboard as shown by Lipp et al. [24] , or Multi-Prime+Probe attacks directly on the input field buffer (cf.  ... 
arXiv:1706.06381v1 fatcat:lu7gi3npcjemhixfvhw6gd6xpu

Prefetch Side-Channel Attacks: Bypassing Smap And Kernel Aslr

Daniel Gruss, Clémentine Maurice, Moritz Lipp, Stefan Mangard, Anders Fogh
2016 Zenodo  
Modern operating systems use hardware support to protect against control flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. However, current CPUs provide no protection against code-reuse attacks like ROP. ASLR is used to prevent these attacks by making all addresses unpredictable for an attacker. Hence, the kernel security relies fundamentally on preventing access to
more » ... dress information. We introduce Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions. This allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch inaccessible privileged memory into various caches on Intel x86. It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties. Our rst attack retrieves an exact image of the full paging hierarchy of a process, defeating both user space and kernel space ASLR. Our second attack resolves virtual to physical addresses to bypass SMAP on 64-bit Linux systems, enabling ret2dir attacks. We demonstrate this from unprivileged user programs on Linux and inside Amazon EC2 virtual machines. Finally, we demonstrate how to defeat kernel ASLR on Windows 10, enabling ROP attacks on kernel and driver binary code. We propose a new form of strong kernel isolation to protect commodity systems incuring an overhead of only 0:06{5:09%.
doi:10.5281/zenodo.375513 fatcat:ulpenlmxtjfwvkmx66j4bfyoma

Spectre Attacks: Exploiting Speculative Execution [article]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom
2018 arXiv   pre-print
Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access to the victim's memory and registers, and can perform operations
more » ... measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, static analysis, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing/side-channel attacks. These attacks represent a serious threat to actual systems, since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.
arXiv:1801.01203v1 fatcat:ye2a4qiqpzhfld32mbrk7whwyi

ARMageddon: Cache Attacks on Mobile Devices [article]

Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard
2016 arXiv   pre-print
so-called Original publication in the Proceedings of the 25th Annual USENIX Security Symposium (USENIX Security 2016). https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/lipp  ... 
arXiv:1511.04897v2 fatcat:44jugt6hovgf3a4f3q2rgtk4ze

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis

Daniel Moghimi, Moritz Lipp, Berk Sunar, Michael Schwarz
2020 USENIX Security Symposium  
to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX.
dblp:conf/uss/MoghimiLS020 fatcat:rx3fgpsoo5ch5akhmfqvjvix4e

The Microbiology of Natural Soils [chapter]

Teri C. Balser, Devin Wixon, Lindsey K. Moritz, Laura Lipps
2010 Soil Microbiology and Sustainable Crop Production  
For example, tropical systems often have low levels of nutrients in the soil, and generally constant warm, Moritz, 2008) . (a) Total soil C and carbon:nitrogen (C/N) ratios with depth.  ...  Chloroform fumigation- extraction; seven enzyme assays; BIOLOG; PLFA Krave et al. 2002 Java, Indonesia Seasonal effects (wet and dry season) Litter + 0-10 cm mineral soil 16S rRNA DGGE Moritz  ... 
doi:10.1007/978-90-481-9479-7_2 fatcat:pevoeuu3zvgbxkwrxhyygjgwiy

Nethammer: Inducing Rowhammer Faults through Network Requests [article]

Moritz Lipp and Misiker Tadesse Aga and Michael Schwarz and Daniel Gruss and Clémentine Maurice and Lukas Raab and Lukas Lamster
2018 arXiv   pre-print
A fundamental assumption in software security is that memory contents do not change unless there is a legitimate deliberate modification. Classical fault attacks show that this assumption does not hold if the attacker has physical access. Rowhammer attacks showed that local code execution is already sufficient to break this assumption. Rowhammer exploits parasitic effects in DRAM to modify the content of a memory cell without accessing it. Instead, other memory locations are accessed at a high
more » ... requency. All Rowhammer attacks so far were local attacks, running either in a scripted language or native code. In this paper, we present Nethammer. Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer. Other systems can still be attacked if they are protected with quality-of-service techniques like Intel CAT. We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios. Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We investigated Nethammer on personal computers, servers, and mobile phones. Nethammer is a security landslide, making the formerly local attack a remote attack.
arXiv:1805.04956v1 fatcat:gtx2flt7lzc35hrrb75j4x6fhu

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features [article]

Michael Schwarz, Daniel Gruss, Moritz Lipp, Clémentine Maurice, Thomas Schuster, Anders Fogh, Stefan Mangard
2017 arXiv   pre-print
An attacker using Flush+Reload as a trigger to exploit a double-fetch bug can rely on different time sources and eviction strategies as proposed by Lipp et al. [45] .  ... 
arXiv:1711.01254v1 fatcat:gjvy55elprg4xjueslr2snjeia

Long-Distance Dispersal of Plants by Vehicles as a Driver of Plant Invasions

MORITZ VON DER LIPPE, INGO KOWARIK
2007 Conservation Biology  
Roadsides are preferential migration corridors for invasive plant species and can act as starting points for plant invasions into adjacent habitats. Rapid spread and interrupted distribution patterns of introduced plant species indicate long-distance dispersal along roads. The extent to which this process is due to species' migration along linear habitats or, alternatively, to seed transport by vehicles has not yet been tested systematically. We tested this by sampling seeds inside long
more » ... tunnels to exclude nontraffic dispersal. Vehicles transported large amounts of seeds. The annual seed rain caused by vehicles on the roadsides of five different tunnel lanes within three tunnels along a single urban motorway in Berlin, Germany, ranged from 635 to 1579 seeds/m 2 /year. Seeds of non-native species accounted for 50.0% of the 204 species and 54.4% of the total 11,818 seeds trapped inside the tunnels. Among the samples were 39 (19.1%) highly invasive species that exhibit detrimental effects on native biodiversity in some parts of the world. By comparing the flora in the tunnel with that adjacent to the tunnel entrances we confirmed long-distance dispersal events (>250 m) for 32.3% of the sampled species. Seed sources in a radius of 100 m around the entrances of the tunnels had no significant effect on species richness and species composition of seed samples from inside the tunnels, indicating a strong effect of long-distance dispersal by vehicles. Consistently, the species composition of the tunnel seeds was more similar to the regional roadside flora of Berlin than to the local flora around the tunnel entrances. Long-distance dispersal occurred significantly more frequently in seeds of non-native (mean share 38.5%) than native species (mean share 4.1%). Our results showed that long-distance dispersal by vehicles was a routine rather than an occasional mechanism. Dispersal of plants by vehicles will thus accelerate plant invasions and induce rapid changes in biodiversity patterns. Keywords: long-distance plant dispersal, plant invasions, roadside flora, seed rain, vehicle plant dispersal La Dispersión de Plantas a Larga Distancia por Vehículos como un Agente de Invasiones de Plantas Resumen: Las orillas de caminos son los corredores migratorios preferenciales de plantas invasoras y pueden actuar como puntos de inicio para la invasión de hábitats adyacentes. La rápida expansión y los patrones de distribución interrumpidos de las especies de plantas introducidas son indicadores de dispersión a larga distancia a lo largo de los caminos. A la fecha, no se ha probado sistemáticamente la extensión en la que este proceso se debe a la migración de especies a lo largo de hábitats lineales o, alternativamente, al transporte de semillas por vehículos. Probamos esto muestreando semillas dentro túneles largos para excluir la dispersión no causada por el tráfico. La lluvia de semillas anual debida a vehículos en los bordes de cinco carriles diferentes dentro de tres túneles a lo largo de una vía urbana en Berlín, Alemania, varió entre 635 y 1579 semillas/m 2 /año. Las semillas de especies exóticas comprendieron 50.0% de las 204 especies y 54.4% de las 11,818 semillas recolectadas en los túneles. Entre las muestras había 39 (19.1%) especies altamente invasoras que tienen efectos perjudiciales sobre la biodiversidad nativa en algunas partes del mundo. Al comparar la flora del túnel con la adyacente a las entradas de los túneles confirmamos los eventos de dispersión de larga distancia (>250 m) para 32.3% de las especies muestreadas. Las fuentes de semillas en un radio de 100 m alrededor de las entradas de túneles no tuvieron efecto significativo sobre la riqueza de especies y Dispersal of Plants by Vehicles 987 composición de especies de las muestras de semillas del interior de los túneles, lo que indica un fuerte efecto de la dispersión a larga distancia por vehículos. Consistentemente, la composición de especies de las semillas de túneles fue más similar a la de flora regional de bordes de camino que a la flora local cercana a las entradas de túneles. La dispersión a larga distancia ocurrió significativamente más frecuentemente en semillas de especies no nativas (proporción media: 38.5%) que en especies nativas (proporción media: 4.1%). Nuestros resultados mostraron que la dispersión a larga distancia por vehículos fue una rutina y no un mecanismo ocasional. Por lo tanto, la dispersión de plantas por vehículos acelerará las invasiones de plantas e inducirá cambios rápidos en los patrones de biodiversidad. Palabras Clave: dispersión de plantas a larga distancia, dispersión de plantas por vehículos, flora ruderal, invasión de plantas, lluvia de semillas
doi:10.1111/j.1523-1739.2007.00722.x pmid:17650249 fatcat:7rgfqj2q45h7jfq3bpaizsaq3y
« Previous Showing results 1 — 15 out of 1,201 results