Fallout: Reading Kernel Writes From User Space

by   Marina Minkin, et al.

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.



There are no comments yet.


page 4


Survey of Transient Execution Attacks

Transient execution attacks, also called speculative execution attacks, ...

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs

Meltdown and Spectre exploit microarchitectural changes the CPU makes du...


The security of computer systems fundamentally relies on memory isolatio...

Spectre Returns! Speculation Attacks using the Return Stack Buffer

The recent Spectre attacks exploit speculative execution, a pervasively ...

Leaking Control Flow Information via the Hardware Prefetcher

Modern processor designs use a variety of microarchitectural methods to ...

A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

Nowadays, in operating systems, numerous protection mechanisms prevent o...

An Exhaustive Approach to Detecting Transient Execution Side Channels in RTL Designs of Processors

Hardware (HW) security issues have been emerging at an alarming rate in ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.