New Cache Attack for Android Devices

Tuesday, August 16, 2016 @ 04:08 PM gHale


It is possible to conduct a cache attack on multi-core ARM CPUs used in Android devices, researchers said.

A CPU cache attack is a side-channel information leak attack that allows a third-party to extract small portions of data from a CPU cache, which, in turn, can end up used to infer details about the processed data, said five researchers from the Graz University of Technology in Austria who presented their research findings at the Usenix Security Symposium.

RELATED STORIES
Wireless: 900M Android Devices Vulnerable
Linux Kernel Defenses added to Nougat
Android FDE Vulnerability Patched
Google makes 108 Fixes for Android

In the past, researchers conducted multiple types of cache attacks, most of them against Intel x86 CPU architectures.

Since ARM is a newcomer to the CPU market, researchers are only starting to explore the possibility of porting these older attacks on the new platform, which has made its way into smartphones, tablets, and IoT devices.

An ARM processor is one of a family of CPUs based on the RISC (reduced instruction set computer) architecture developed by Advanced RISC Machines (ARM).

Researcher Moritz Lipp said in presenting his paper how their team was able to use powerful cache attacks on ARM CPUs in order to compromise Android devices.

Using techniques like Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush, researchers said they were able to monitor tap and swipe gestures events sent to the CPU for processing.

“Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude,” the researchers said.

“Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen. Eventually, we are the first to attack cryptographic primitives implemented in Java.”

The researchers said their attack is so intrusive it also manages to monitor cache activity (code execution) in the ARM TrustZone, a special area of the Android operating system that benefits from hardened security measures because it processes sensitive cryptographic operations.

Researchers said their attack can end up carried out from the normal userspace, with no elevated privileges, and it affects hundreds of millions of Android devices.

The team presented their results to Google, who patched most of the issues in its March 2016 Android Security Bulletin.