Abstract
Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc. In this paper, we present GhostRace, the first security analysis of these primitives on speculatively executed code paths. Our key finding is that all the common synchronization primitives can be microarchitecturally bypassed on speculative paths, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs). To study the severity of SRCs, we focus on Speculative Concurrent Use-After-Free (SCUAF) and uncover 1, 283 potentially exploitable gadgets in the Linux kernel. Moreover, we demonstrate that SCUAF information disclosure attacks against the kernel are not only practical, but that their reliability can closely match that of traditional Spectre attacks, with our proof of concept leaking kernel memory at 12 KB/s. Crucially, we develop a new technique to create an unbounded race window, accommodating an arbitrary number of SCUAF invocations required by an end-to-end attack in a single race window. To address the new attack surface, we also propose a generic SRC mitigation to harden all the affected synchronization primitives on Linux. Our mitigation requires minimal kernel changes and incurs only ≈5% geomean performance overhead on LMBench.
Original language | English |
---|---|
Title of host publication | 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024 |
Subtitle of host publication | [Proceedings] |
Editors | Davide Balzarotti, Wenyuan Xu |
Publisher | USENIX Association |
Pages | 6185-6202 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133441 |
Publication status | Published - 2024 |
Event | 33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: 14 Aug 2024 → 16 Aug 2024 |
Conference
Conference | 33rd USENIX Security Symposium, USENIX Security 2024 |
---|---|
Country/Territory | United States |
City | Philadelphia |
Period | 14/08/24 → 16/08/24 |
Bibliographical note
Publisher Copyright:© USENIX Security Symposium 2024.All rights reserved.