Page Cache Attacks

TL;DR

This paper introduces a novel hardware-agnostic side-channel attack on the operating system page cache, enabling unprivileged monitoring of other processes' memory accesses across cores and CPUs, with practical implications for security.

Contribution

It presents a new page cache side-channel attack that works across cores and CPUs, demonstrating various local and remote exploits, and discusses mitigations adopted by OS vendors.

Findings

Achieves 4KB spatial resolution and microsecond temporal resolution in monitoring

Demonstrates sandbox bypass and password recovery attacks

Develops a remote covert channel exploiting the page cache side-channel

Abstract

We present a new hardware-agnostic side-channel attack that targets one of the most fundamental software caches in modern computer systems: the operating system page cache. The page cache is a pure software cache that contains all disk-backed pages, including program binaries, shared libraries, and other files, and our attacks thus work across cores and CPUs. Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks. We systematically analyze our side channel by demonstrating different local attacks, including a sandbox bypassing high-speed covert channel, timed user-interface redressing attacks, and an attack recovering automatically generated temporary passwords. We further show that we can trade off the side channel's hardware agnostic property for remote exploitability. We demonstrate this via a low profile remote covert channel that uses this page-cache side-channel to exfiltrate information from a malicious sender process through innocuous server requests. Finally, we propose mitigations for some of our attacks, which have been acknowledged by operating system vendors and slated for future security patches.