Level 52
Content Creator
Malware Hunter
Researchers from a combination of academic and corporate backgrounds have disclosed a newly discovered side-channel attack technique that targets the operating system page cache and affects devices regardless of hardware architecture or OS.

“The page cache is a pure software cache that contains all disk-backed pages, including program binaries, shared libraries,and other files, and our attacks thus work across cores and CPUs,” warns a new report issued by researchers from Graz University of Technology, Boston University, NetApp, CrowdStrike and Intel Corporation.

The technique allows unprivileged actors to monitor instances of memory access involving certain processes, thereby enabling them to execute a variety of local and remote attacks. Under certain instances, malicious hackers could potentially use this exploit to set up covert channels between segregated processes, engage in clickjacking (via UI redressing), perform keystroke-timing attacks, steal passwords from vulnerable PHP scripts, and remotely leak information across a network.

“We present a set of local attacks that work entirely without any timers, utilizing operating system calls (mincore on Linux and QueryWorkingSetEx on Windows) to elicit page cache information,” the paper states. “We also show that page cache metadata can leak to a remote attacker over a network channel, producing a stealthy covert channel between a malicious local sender process and an external attacker.”

Although the researchers focused on Linux and Windows-based systems, reports state that the technique could be applied against MacOS machines as well, since all modern operating systems implement a page cache.

In their paper, researchers suggest a number of mitigations, including
modifying the operating system implementation and instituting certain page replacement algorithms to “reduce the applicability of our attack while simultaneously improving the system performance.”

The researchers said Microsoft’s and Linux’s security teams are working on developing fixes for the underlying vulnerability that makes this side-channel attack possible. Microsoft reportedly already addressed the issue in its Windows 10 Insider Preview Build 18305, but plans to issue a public fix later this year.