Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs

05/14/2019
by   Michael Schwarz, et al.
0

Meltdown and Spectre exploit microarchitectural changes the CPU makes during transient out-of-order execution. Using side-channel techniques, these attacks enable leaking arbitrary data from memory. As state-of-the-art software mitigations for Meltdown may incur significant performance overheads, they are only seen as a temporary solution. Thus, software mitigations are disabled on more recent processors, which are not susceptible to Meltdown anymore. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to the original Meltdown attack. We show that the store buffer---a microarchitectural optimization to reduce the latency for data stores---in combination with the TLB enables powerful attacks. We present several ASLR-related attacks, including a KASLR break from unprivileged applications, and breaking ASLR from JavaScript. We can also mount side-channel attacks, breaking the atomicity of TSX, and monitoring control flow of the kernel. Furthermore, when combined with a simple Spectre gadget, we can leak arbitrary data from memory. Our paper shows that Meltdown-like attacks are still possible, and software fixes are still necessary to ensure proper isolation between the kernel and user space.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/29/2019

Fallout: Reading Kernel Writes From User Space

Recently, out-of-order execution, an important performance optimization ...
research
05/14/2019

ZombieLoad: Cross-Privilege-Boundary Data Sampling

In early 2018, Meltdown first showed how to read arbitrary kernel memory...
research
08/24/2021

Transient Execution of Non-Canonical Accesses

Recent years have brought microarchitectural security intothe spotlight,...
research
06/02/2020

Real time Detection of Spectre and Meltdown Attacks Using Machine Learning

Recently discovered Spectre and meltdown attacks affects almost all proc...
research
09/29/2021

Breaking the curse of dimensionality with Isolation Kernel

The curse of dimensionality has been studied in different aspects. Howev...
research
08/31/2021

Cats vs. Spectre: An Axiomatic Approach to Modeling Speculative Execution Attacks

The Spectre family of speculative execution attacks have required a reth...
research
02/22/2021

On Value Recomputation to Accelerate Invisible Speculation

Recent architectural approaches that address speculative side-channel at...

Please sign up or login with your details

Forgot password? Click here to reset