DeepAI AI Chat
Log In Sign Up

Speculative Dereferencing of Registers:Reviving Foreshadow

by   Martin Schwarzl, et al.

Since 2016, multiple microarchitectural attacks have exploited an effect that is attributed to prefetching. These works observe that certain user-space operations can fetch kernel addresses into the cache. Fetching user-inaccessible data into the cache enables KASLR breaks and assists various Meltdown-type attacks, especially Foreshadow. In this paper, we provide a systematic analysis of the root cause of this prefetching effect. While we confirm the empirical results of previous papers, we show that the attribution to a prefetching mechanism is fundamentally incorrect in all previous papers describing or exploiting this effect. In particular, neither the prefetch instruction nor other user-space instructions actually prefetch kernel addresses into the cache, leading to incorrect conclusions and ineffectiveness of proposed defenses. The effect exploited in all of these papers is, in fact, caused by speculative dereferencing of user-space registers in the kernel. Hence, mitigation techniques such as KAISER do not eliminate this leakage as previously believed. Beyond our thorough analysis of these previous works, we also demonstrate new attacks enabled by understanding the root cause, namely an address-translation attack in more restricted contexts, direct leakage of register values in certain scenarios, and the first end-to-end Foreshadow (L1TF) exploit targeting non-L1 data. The latter is effective even with the recommended Foreshadow mitigations enabled and thus revives the Foreshadow attack. We demonstrate that these dereferencing effects exist even on the most recent Intel CPUs with the latest hardware mitigations, and on CPUs previously believed to be unaffected, i.e., ARM, IBM, and AMD CPUs.


page 1

page 2

page 3

page 4


ZombieLoad: Cross-Privilege-Boundary Data Sampling

In early 2018, Meltdown first showed how to read arbitrary kernel memory...

Flushgeist: Cache Leaks from Beyond the Flush

Flushing the cache, using instructions like clflush and wbinvd, is commo...

CacheOut: Leaking Data on Intel CPUs via Cache Evictions

Recent transient-execution attacks, such as RIDL, Fallout, and ZombieLoa...

Write Me and I'll Tell You Secrets – Write-After-Write Effects On Intel CPUs

There is a long history of side channels in the memory hierarchy of mode...

Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation

All the state-of-the-art rowhammer attacks can break the MMU-enforced in...

A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack

Nowadays, in operating systems, numerous protection mechanisms prevent o...

Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels

The complexity of modern processor architectures has given rise to sophi...