Exploiting Metaobjects to Reinforce Data Leakage Attacks

Hoyong Jeong, Hodong Kim, Junbeom Hur

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Reflective features in modern programming languages allow programs to introspect and modify their own structures and behavior during runtime. As these self-referential capabilities are frequently adopted in practice, security of the reflective systems becomes crucial. In this paper, we explore an adversary against reflective systems with access to a data leakage channel, which has previously been considered impractical to pose a realistic threat. In particular, we show that a crucial component of reflection, referred to as metaobjects, can be exploited to reinforce these data leakage channels. We introduce a novel attack strategy that exploits certain metaobjects as in-memory gadgets to leak data in a selective and target-oriented manner, consequentially eliminating the unnecessary sampling procedures inevitable in naive data leakage attacks. Such approach significantly optimizes the data space subject to extraction, elevating the practicality of the underlying data leakage channel. As an instantiation of our strategy, we propose and demonstrate SMDL, a framework that exploits reflection to reinforce Meltdown-type attacks to steal valuable data from the victim's memory. To demonstrate the efficacy of our attack, we implement SMDL against two different target applications, cryptographic library and deep learning service, and show that the secret key and neural network can be extracted with high accuracy and efficiency. Finally, we suggest metaobject obfuscation techniques to mitigate such exploitation.

Original languageEnglish
Title of host publicationProceedings of 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
PublisherAssociation for Computing Machinery
Pages17-29
Number of pages13
ISBN (Electronic)9781450397049
DOIs
Publication statusPublished - 2022 Oct 26
Event25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022 - Limassol, Cyprus
Duration: 2022 Oct 262022 Oct 28

Publication series

NameACM International Conference Proceeding Series

Conference

Conference25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
Country/TerritoryCyprus
CityLimassol
Period22/10/2622/10/28

Bibliographical note

Funding Information:
This work was supported by IITP grant funded by the MSIT, Korea (No. 2019-0-00533, IITP-2022-2020-0-01819, IITP-2022-2021-0-01810) and Basic Science Research Program through the National Research Foundation funded by the Ministry of Education, Korea (NRF-2021R1A6A1A13044830).

Publisher Copyright:
© 2022 ACM.

Keywords

  • meltdown
  • memory disclosure
  • reflective programming

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Exploiting Metaobjects to Reinforce Data Leakage Attacks'. Together they form a unique fingerprint.

Cite this