Researchers find hardware-agnostic side-channel attack affecting OS page caches

9 Jan 2019

Image: © diaphiris/

A new side-channel attack targeting the page caches of operating systems has proved successful against Windows and Linux machines.

A team of researchers from Graz University of Technology, Boston University, NetApp, CrowdStrike and Intel published a research paper earlier this week detailing a new side-channel attack.

A side-channel attack is an attack based on information obtained from the implementation of a computer system, as opposed to weaknesses in the implemented algorithm itself. The most famous side-channel attacks of recent times include the Spectre and Meltdown chip flaws.

A unique side-channel attack

While side-channel attacks themselves are nothing new, the researchers claim this one is hardware-agnostic and can be carried out remotely in certain cases. According to ZDNet, the attack is also notable as it does not target microarchitectural design flaws in CPUs or other machine components, but instead targets the operating system (OS) itself.

The technique targets the OS page cache, which is a technical term used to describe a part of the memory where the OS loads code currently used by one or more applications, such as libraries and user data. These are caches controlled at OS level, as opposed to hardware caches, which are dedicated memory that the CPU often uses to boost computational speeds.

What could the researchers do?

Researchers were able to monitor how certain processes access memory through the OS page cache. The team said: “We present a set of local attacks that work entirely without any timers, utilising operating system calls (‘mincore’ on Linux and ‘QueryWorkingSetEx’ on Windows) to elicit page cache information.

“We also show that page cache metadata can leak to a remote attacker over a network channel, producing a stealthy covert channel between a malicious local sender process and an external attacker.”

Access to the page cache data allowed the researchers to carry out local attacks such as bypassing sandbox protections, interface redressing and keystroke capturing. All of the attacks are possible to execute locally, whereby an unprivileged process runs malicious code on a targeted computer. While the attacks can also be modified to work remotely, it is not as efficient a process.

Mitigating the risk

The researchers said that although they focused on Microsoft and Linux-based systems, the attack may also work on macOS as page caching is present on all major operating systems.

Vendors were contacted prior to the research being publicised. Microsoft has already fixed how Windows manages page cache reads, while Linux is still working on how to deal with the issue. Both firms are said to be fixing the key issues in the near future.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, said: “This attack class presents a significantly lower complexity barrier than previous hardware-based side-channel attacks and can easily be put into practice by threat actors, both nation state as well as cybergangs.

“In particular, password recovery via unprivileged applications is a major worry as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless.

“There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects