DeepAI AI Chat
Log In Sign Up

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs

by   Michael Schwarz, et al.

Meltdown and Spectre exploit microarchitectural changes the CPU makes during transient out-of-order execution. Using side-channel techniques, these attacks enable leaking arbitrary data from memory. As state-of-the-art software mitigations for Meltdown may incur significant performance overheads, they are only seen as a temporary solution. Thus, software mitigations are disabled on more recent processors, which are not susceptible to Meltdown anymore. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to the original Meltdown attack. We show that the store buffer---a microarchitectural optimization to reduce the latency for data stores---in combination with the TLB enables powerful attacks. We present several ASLR-related attacks, including a KASLR break from unprivileged applications, and breaking ASLR from JavaScript. We can also mount side-channel attacks, breaking the atomicity of TSX, and monitoring control flow of the kernel. Furthermore, when combined with a simple Spectre gadget, we can leak arbitrary data from memory. Our paper shows that Meltdown-like attacks are still possible, and software fixes are still necessary to ensure proper isolation between the kernel and user space.


page 1

page 2

page 3

page 4


Fallout: Reading Kernel Writes From User Space

Recently, out-of-order execution, an important performance optimization ...

ZombieLoad: Cross-Privilege-Boundary Data Sampling

In early 2018, Meltdown first showed how to read arbitrary kernel memory...

Transient Execution of Non-Canonical Accesses

Recent years have brought microarchitectural security intothe spotlight,...

Real time Detection of Spectre and Meltdown Attacks Using Machine Learning

Recently discovered Spectre and meltdown attacks affects almost all proc...

Breaking the curse of dimensionality with Isolation Kernel

The curse of dimensionality has been studied in different aspects. Howev...

Cats vs. Spectre: An Axiomatic Approach to Modeling Speculative Execution Attacks

The Spectre family of speculative execution attacks have required a reth...

On Value Recomputation to Accelerate Invisible Speculation

Recent architectural approaches that address speculative side-channel at...