TY - GEN
T1 - RevAnC: A framework for reverse engineering hardware page table caches
AU - Van Schaik, Stephan
AU - Razavi, Kaveh
AU - Gras, Ben
AU - Bos, Herbert
AU - Giuffrida, Cristiano
PY - 2017/4
Y1 - 2017/4
N2 - Recent hardware-based attacks that compromise systems with Rowhammer or bypass address-space layout random- ization rely on how the processor's memory management unit (MMU) interacts with page tables. These attacks often need to reload page tables repeatedly in order to observe changes in the target system's behavior. To speed up the MMU's page table lookups, modern processors make use of multiple levels of caches such as translation lookaside buffers (TLBs), special-purpose page table caches and even general data caches. A successful attack needs to ush these caches reliably before accessing page tables. To ush these caches from an unprivileged process, the attacker needs to create specialized memory access patterns based on the internal architecture and size of these caches as well as how they in- teract with each other. While information about TLBs and data caches are often reported in processor manuals released by the vendors, there is typically little or no information about the properties of page table caches on different pro- cessors. In this paper, we describe RevAnC, an open-source framework for reverse engineering internal architecture, size and the behavior these page table caches by retrofitting a recently proposed EVICT+TIME attack on the MMU. RevAnC can automatically reverse engineer page table caches on new architectures while providing a convenient interface for ush- ing these caches on 23 different microarchitectures that we evaluated from Intel, ARM and AMD.
AB - Recent hardware-based attacks that compromise systems with Rowhammer or bypass address-space layout random- ization rely on how the processor's memory management unit (MMU) interacts with page tables. These attacks often need to reload page tables repeatedly in order to observe changes in the target system's behavior. To speed up the MMU's page table lookups, modern processors make use of multiple levels of caches such as translation lookaside buffers (TLBs), special-purpose page table caches and even general data caches. A successful attack needs to ush these caches reliably before accessing page tables. To ush these caches from an unprivileged process, the attacker needs to create specialized memory access patterns based on the internal architecture and size of these caches as well as how they in- teract with each other. While information about TLBs and data caches are often reported in processor manuals released by the vendors, there is typically little or no information about the properties of page table caches on different pro- cessors. In this paper, we describe RevAnC, an open-source framework for reverse engineering internal architecture, size and the behavior these page table caches by retrofitting a recently proposed EVICT+TIME attack on the MMU. RevAnC can automatically reverse engineer page table caches on new architectures while providing a convenient interface for ush- ing these caches on 23 different microarchitectures that we evaluated from Intel, ARM and AMD.
UR - http://www.scopus.com/inward/record.url?scp=85054815582&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85054815582&partnerID=8YFLogxK
U2 - 10.1145/3065913.3065918
DO - 10.1145/3065913.3065918
M3 - Conference contribution
AN - SCOPUS:85054815582
SN - 9781450349352
SP - 1
EP - 6
BT - EuroSec'17: Proceedings of the 10th European Workshop on Systems Security
PB - Association for Computing Machinery, Inc
T2 - 10th European Workshop on Systems Security, EuroSec 2017, co-located with European Conference on Computer Systems, EuroSys 2017
Y2 - 23 April 2017 through 27 April 2017
ER -
