GhostRace: Exploiting and Mitigating Speculative Race Conditions

Hany Ragab*, Andrea Mambretti*, Anil Kurmus*, Cristiano Giuffrida

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc. In this paper, we present GhostRace, the first security analysis of these primitives on speculatively executed code paths. Our key finding is that all the common synchronization primitives can be microarchitecturally bypassed on speculative paths, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs). To study the severity of SRCs, we focus on Speculative Concurrent Use-After-Free (SCUAF) and uncover 1, 283 potentially exploitable gadgets in the Linux kernel. Moreover, we demonstrate that SCUAF information disclosure attacks against the kernel are not only practical, but that their reliability can closely match that of traditional Spectre attacks, with our proof of concept leaking kernel memory at 12 KB/s. Crucially, we develop a new technique to create an unbounded race window, accommodating an arbitrary number of SCUAF invocations required by an end-to-end attack in a single race window. To address the new attack surface, we also propose a generic SRC mitigation to harden all the affected synchronization primitives on Linux. Our mitigation requires minimal kernel changes and incurs only ≈5% geomean performance overhead on LMBench.

Original languageEnglish
Title of host publication33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024
Subtitle of host publication[Proceedings]
EditorsDavide Balzarotti, Wenyuan Xu
PublisherUSENIX Association
Pages6185-6202
Number of pages18
ISBN (Electronic)9781939133441
Publication statusPublished - 2024
Event33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States
Duration: 14 Aug 202416 Aug 2024

Conference

Conference33rd USENIX Security Symposium, USENIX Security 2024
Country/TerritoryUnited States
CityPhiladelphia
Period14/08/2416/08/24

Bibliographical note

Publisher Copyright:
© USENIX Security Symposium 2024.All rights reserved.

Fingerprint

Dive into the research topics of 'GhostRace: Exploiting and Mitigating Speculative Race Conditions'. Together they form a unique fingerprint.

Cite this