Speculative Dereferencing of Registers:Reviving Foreshadow

08/05/2020
by   Martin Schwarzl, et al.
0

Since 2016, multiple microarchitectural attacks have exploited an effect that is attributed to prefetching. These works observe that certain user-space operations can fetch kernel addresses into the cache. Fetching user-inaccessible data into the cache enables KASLR breaks and assists various Meltdown-type attacks, especially Foreshadow. In this paper, we provide a systematic analysis of the root cause of this prefetching effect. While we confirm the empirical results of previous papers, we show that the attribution to a prefetching mechanism is fundamentally incorrect in all previous papers describing or exploiting this effect. In particular, neither the prefetch instruction nor other user-space instructions actually prefetch kernel addresses into the cache, leading to incorrect conclusions and ineffectiveness of proposed defenses. The effect exploited in all of these papers is, in fact, caused by speculative dereferencing of user-space registers in the kernel. Hence, mitigation techniques such as KAISER do not eliminate this leakage as previously believed. Beyond our thorough analysis of these previous works, we also demonstrate new attacks enabled by understanding the root cause, namely an address-translation attack in more restricted contexts, direct leakage of register values in certain scenarios, and the first end-to-end Foreshadow (L1TF) exploit targeting non-L1 data. The latter is effective even with the recommended Foreshadow mitigations enabled and thus revives the Foreshadow attack. We demonstrate that these dereferencing effects exist even on the most recent Intel CPUs with the latest hardware mitigations, and on CPUs previously believed to be unaffected, i.e., ARM, IBM, and AMD CPUs.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/14/2019

ZombieLoad: Cross-Privilege-Boundary Data Sampling

In early 2018, Meltdown first showed how to read arbitrary kernel memory...
research
05/28/2020

Flushgeist: Cache Leaks from Beyond the Flush

Flushing the cache, using instructions like clflush and wbinvd, is commo...
research
06/23/2020

CacheOut: Leaking Data on Intel CPUs via Cache Evictions

Recent transient-execution attacks, such as RIDL, Fallout, and ZombieLoa...
research
09/05/2022

Write Me and I'll Tell You Secrets – Write-After-Write Effects On Intel CPUs

There is a long history of side channels in the memory hierarchy of mode...
research
07/27/2023

SEV-Step: A Single-Stepping Framework for AMD-SEV

The ever increasing popularity and availability of Trusted Execution Env...
research
11/25/2022

Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels

The complexity of modern processor architectures has given rise to sophi...
research
01/04/2021

HyperDegrade: From GHz to MHz Effective CPU Frequencies

Performance degradation techniques are an important complement to side-c...

Please sign up or login with your details

Forgot password? Click here to reset