Conference paper
Conference paper
GhostRace: Exploiting and Mitigating Speculative Race Conditions
Abstract
Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc.
In this paper, we present Ghostrace, the first security analysis of these
primitives on speculatively executed code paths. Our key finding is
that all the common synchronization primitives can be
microarchitecturally bypassed on speculative paths, turning all
architecturally race-free critical regions into Speculative Race
Conditions (SRCs). To study the severity of SRCs, we focus on Speculative
Concurrent Use-After-Free (SCUAF) and uncover 1,283 potentially exploitable
gadgets in the Linux kernel. Moreover, we demonstrate that SCUAF information
disclosure attacks against the kernel are not only practical, but that their
reliability can closely match that of traditional Spectre attacks, with our
proof of concept leaking kernel memory at 12~KB/s. Crucially, we develop a
new technique to create an unbounded race window, accommodating an
arbitrary number of SCUAF invocations required by an end-to-end
attack in a single race window. To address the new attack
surface, we also propose a generic SRC mitigation to harden all the affected
synchronization primitives on Linux. Our mitigation requires minimal kernel
changes and incurs only ~5% geomean performance overhead on LMBench.
"There's security, and then there's just being ridiculous." – Linus Torvalds, on Speculative Race Conditions
Related
Conference paper
Software deception steering through version emulation
Conference paper