Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

TL;DR

This paper introduces automated techniques leveraging modern CPU features to detect, exploit, and eliminate double-fetch bugs, significantly improving security analysis and mitigation processes with high success rates and minimal performance impact.

Contribution

It presents the first fully automated methods combining cache attacks and fuzzing for double-fetch bug detection and exploitation, and introduces a hardware transactional memory-based approach for automatic bug elimination.

Findings

Achieved up to 97% success rate in exploiting double-fetch bugs.

Developed a fully automated detection and exploitation framework.

Implemented a low-overhead (below 1%) automated prevention technique.

Abstract

Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level. We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform state-of-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97%. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention, both in trusted execution environments as well as in syscalls, with a performance overhead below 1%.