Layered Binary Templating: Efficient Detection of Compiler- and Linker-introduced Leakage

TL;DR

This paper introduces LBTA, a layered cache templating attack that significantly speeds up cache side-channel analysis, revealing widespread user input leakage in Chromium-based applications and other software frameworks.

Contribution

The paper presents LBTA, a novel multi-layer cache templating attack that combines coarse and fine-grained side channels to efficiently detect user input leakage in large binaries.

Findings

LBTA reduces cache templating runtime by three orders of magnitude.

Discovered data deduplication and dead-stripping as security issues.

All user input in Chromium-based apps is vulnerable to cache-based keylogging.

Abstract

Cache template attacks demonstrated automated leakage of user input in shared libraries. However, for large binaries, the runtime is prohibitively high. Other automated approaches focused on cryptographic implementations and media software but are not directly applicable to user input. Hence, discovering and eliminating all user input side-channel leakage on a cache-line granularity within huge code bases are impractical. In this paper, we present a new generic cache template attack technique, LBTA, layered binary templating attacks. LBTA uses multiple coarser-grained side channel layers as an extension to cache-line granularity templating to speed up the runtime of cache templating attacks. We describe LBTA with a variable number of layers with concrete side channels of different granularity, ranging from 64 B to 2MB in practice and in theory beyond. In particular the software-level page cache side channel in combination with the hardware-level L3 cache side channel, already reduces the templating runtime by three orders of magnitude. We apply LBTAs to different software projects and thereby discover data deduplication and dead-stripping during compilation and linking as novel security issues. We show that these mechanisms introduce large spatial distances in binaries for data accessed during a keystroke, enabling reliable leakage of keystrokes. Using LBTA on Chromium-based applications, we can build a full unprivileged cache-based keylogger. Our findings show that all user input to Chromium-based apps is affected and we demonstrate this on a selection of popular apps including Signal, Threema, Discord, and password manager apps like passky. As this is not a flaw of individual apps but the framework, we conclude that all apps that use the framework will also be affected, i.e., hundreds of apps.