DeepAI AI Chat
Log In Sign Up

Fallout: Reading Kernel Writes From User Space

by   Marina Minkin, et al.

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.


Survey of Transient Execution Attacks

Transient execution attacks, also called speculative execution attacks, ...

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs

Meltdown and Spectre exploit microarchitectural changes the CPU makes du...


The security of computer systems fundamentally relies on memory isolatio...

AVX Timing Side-Channel Attacks against Address Space Layout Randomization

Modern x86 processors support an AVX instruction set to boost performanc...

Leaking Control Flow Information via the Hardware Prefetcher

Modern processor designs use a variety of microarchitectural methods to ...

A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

Nowadays, in operating systems, numerous protection mechanisms prevent o...

An Exploratory Analysis of Microcode as a Building Block for System Defenses

Microcode is an abstraction layer used by modern x86 processors that int...