Finding eviction sets to accelerate speculative execution attacks

Researcher Pepe Vila reveals algorithm for adversarial cache takeover

A tool to speed up hardware attacks using critical vulnerabilities such as Rowhammer and Spectre was released at the IEEE conference last week, with researchers calling for better counter-measures to secure modern CPUs.

The research group led by Pepe Vila presented an algorithm that would allow an adversary to find an eviction set more efficiently – a key step towards performing speculative execution and other hardware attacks.

“With this new algorithm we found, you can perform the attack in just seconds,” Vila told The Daily Swig, providing the example of a web page that runs JavaScript under certain architecture prototypes.

“If a user opens a page that runs this exploit, we find eviction sets, and then try to exploit Rowhammer or Spectre or whatever.”

Eviction sets are groups of virtual addresses that can map to a CPU’s memory cache, which functions to provide faster access to content saved in the device’s storage.

“The cache is split in sets and each set has certain capacity,” Vila explained.

“If you exceed the capacity of a set you will need to remove things that are stored in there.”

This becomes relevant for attacks such as Rowhammer, where an attacker floods the cache with data in order to replace it with new content and achieve privilege escalation.

An eviction set is required as it provides the map to how the cache is organized.

“Right now, a certain address, even if you don’t know what the address is, will always be mapping to the same place,” Villa said.

“And this provides a lot of opportunity for the attacker to find eviction sets.”

He added: “So we want to find these eviction sets, which are just sets of addresses that fill a specific cache set.”

In 2018 Chrome released various mitigations techniques to protect against vulnerabilities such as Spectre/Meltdown, including a Site Isolation feature, which runs separate sites in separate virtual address spaces.

Vila believes that the only real future defense against these attacks is a complete overhaul of how hardware is built.

“They [hardware vendors] only consider benchmarks for speed,” he said.

“In the cache world they have proposed cache replacement policies of different cache mappings, but their benchmark is always performance.

“I think the benchmark for security could be how difficult it is it to find eviction sets, and you could use that for measuring the security of a cache.”

The Daily Swig has reached out to Google Chrome for comment.

RELATED Was this you? Study explores user response to suspicious login attempts