Abstract
To reduce the storage footprint with increasing data volumes, modern filesystems internally use deduplication to store a single copy of a data deduplication record, even if it is used by multiple files. Unfortunately, its implementation in today's advanced filesystems such as ZFS and Btrfs yields timing side channels that can reveal whether a chunk of data has been deduplicated. In this paper, we present the DUPEFS class of attacks to show that such side channels pose an unexpected security threat. In contrast to memory deduplication attacks, filesystem accesses are performed asynchronously to improve performance, which masks any potential signal due to deduplication. To complicate matters further, filesystem deduplication is often performed at large granularities, complicating high-entropy information leakage. To address these challenges, DUPEFS relies on carefully-crafted read/write operations that show exploitation is not only feasible, but that the signal can be amplified to mount byte-granular attacks over the network. We show attackers can leak sensitive data at the rate of ∼1.5 bytes per hour in a end-to-end remote attack, to leak a long-lived (critical) OAuth access token from the access log file of the nginx web server running on ZFS/HDD. Finally, we propose mitigations where read/write operations exhibit the same time-domain behavior, irrespective of the pre-existence of the data handled during the operation.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 20th USENIX Conference on File and Storage Technologies, FAST 2022 |
| Publisher | USENIX Association |
| Pages | 281-295 |
| Number of pages | 15 |
| ISBN (Electronic) | 9781939133267 |
| Publication status | Published - 10 Aug 2022 |
| Event | 20th USENIX Conference on File and Storage Technologies, FAST 2022 - Santa Clara, United States Duration: 22 Feb 2022 → 24 Feb 2022 |
Conference
| Conference | 20th USENIX Conference on File and Storage Technologies, FAST 2022 |
|---|---|
| Country/Territory | United States |
| City | Santa Clara |
| Period | 22/02/22 → 24/02/22 |
Bibliographical note
Funding Information:We thank our shepherd, Carl Waldspurger, and the anonymous reviewers for their comments, as well as Ilias Diamantakos for early signal testing. This work was supported by the EU's Horizon 2020 programme under grant agreement No. 825377 (UNICORE), Intel Corporation through the Side Channel Vulnerability ISRA, and NWO through project “Intersect”.
Publisher Copyright:
© AST 2022.All rights reserved.
Funding
We thank our shepherd, Carl Waldspurger, and the anonymous reviewers for their comments, as well as Ilias Diamantakos for early signal testing. This work was supported by the EU's Horizon 2020 programme under grant agreement No. 825377 (UNICORE), Intel Corporation through the Side Channel Vulnerability ISRA, and NWO through project “Intersect”.
