Practical Timing Side Channel Attacks on Memory Compression

TL;DR

This paper introduces novel timing side channel attacks on memory compression algorithms, demonstrating their practicality through remote covert channels and secret leakage in real-world applications like Memcached, PostgreSQL, and Linux ZRAM.

Contribution

It systematically analyzes timing leakage in various compression algorithms and presents Comprezzor, an evolutionary fuzzer that finds memory layouts amplifying latency differences for attacks.

Findings

Remote covert channel transmitting 643.25 bits/hour over 14 hops

Memory compression can leak secrets bytewise and via dictionary attacks

Timing side channels exist in multiple compression algorithms, enabling practical attacks.

Abstract

Compression algorithms are widely used as they save memory without losing data. However, elimination of redundant symbols and sequences in data leads to a compression side channel. So far, compression attacks have only focused on the compression-ratio side channel, i.e., the size of compressed data,and largely targeted HTTP traffic and website content. In this paper, we present the first memory compression attacks exploiting timing side channels in compression algorithms, targeting a broad set of applications using compression. Our work systematically analyzes different compression algorithms and demonstrates timing leakage in each. We present Comprezzor,an evolutionary fuzzer which finds memory layouts that lead to amplified latency differences for decompression and therefore enable remote attacks. We demonstrate a remote covert channel exploiting small local timing differences transmitting on average 643.25 bit/h over 14 hops over the internet. We also demonstrate memory compression attacks that can leak secrets bytewise as well as in dictionary attacks in three different case studies. First, we show that an attacker can disclose secrets co-located and compressed with attacker data in PHP applications using Memcached. Second, we present an attack that leaks database records from PostgreSQL, managed by a Python-Flask application, over the internet. Third, we demonstrate an attack that leaks secrets from transparently compressed pages with ZRAM,the memory compression module in Linux. We conclude that memory-compression attacks are a practical threat.