A staff of researchers from the Graz College of Expertise (TU Graz) in Austria has revived Linux web page cache assaults, demonstrating that they aren’t as impractical as beforehand believed.
Web page caches are designed to retailer file-backed reminiscence pages, equivalent to software binaries, libraries, and knowledge information. By protecting a replica of just lately accessed disk knowledge within the system’s reminiscence, the working system can fulfill subsequent requests extra shortly, considerably bettering general efficiency.
Again in 2019, researchers from the Austrian college and several other different organizations confirmed that Home windows and Linux web page caches could be abused for each native and distant assaults.
The specialists demonstrated that attackers may use an unprivileged piece of malware operating on the focused system to create covert channels and steal delicate person knowledge through phishing, keylogging, and password reconstruction.
In a brand new paper revealed on Thursday, TU Graz researchers detailed new web page cache assault methods that concentrate on Linux (kernel variations between 2003 and current day) and are considerably quicker than the earlier ones.
For example, an operation referred to as ‘flushing’ (ie, eradicating a web page from the cache) takes solely 0.8 microseconds in comparison with 149 milliseconds within the earlier work, in keeping with Sudheendra Raghav Neela, one of many researchers concerned within the venture. Commercial. Scroll to proceed studying.
“We obtain a full assault loop in simply 0.6-2.3 microseconds — over 5 to six orders of magnitude quicker than prior page-cache assaults,” the researcher informed SecurityWeek.
The specialists demonstrated a number of theoretical assault eventualities {that a} menace actor with entry to the focused machine can execute.
By monitoring reminiscence pages related to a selected binary, an attacker can decide when a person is prompted for a password, permitting them to launch a synchronized phishing overlay or a keylogger on the exact second the sufferer is anticipating to enter delicate credentials.
The researchers additionally confirmed that inter-keystroke timing assaults could be carried out to deduce delicate info, equivalent to passwords, by measuring the exact time intervals between consecutive keystrokes.
In a Docker setting, an attacker with entry to a container can see which information one other container accesses, breaking isolation and enabling the menace actor to spy on processes operating in supposedly safe environments.
One other assault state of affairs concerned the Discord software, permitting an attacker to find out particular person actions, equivalent to becoming a member of a voice channel and taking part in a video.
Lastly, an assault — the one one not beforehand demonstrated — that screens the web page cache for particular libraries or useful resource information utilized by Firefox to establish web sites accessed by the focused person.
The findings had been reported to the Linux kernel safety staff in January 2025, however just one challenge, tracked as CVE-2025-21691, has been mitigated.
The assault floor stays, and all of the methods described within the new paper proceed to work in opposition to present kernel variations, the researchers identified.
Associated: New ‘StackWarp’ Assault Threatens Confidential VMs on AMD Processors
Associated: UEFI Vulnerability in Main Motherboards Permits Early-Boot Assaults
Associated: Intel, AMD Processors Affected by PCIe Vulnerabilities
