ZombieLoad: Cross-Privilege-Boundary Data Sampling
In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user and kernel space, Meltdown inspired an entirely new class of fault-driven transient execution attacks. Particularly, over the past year, Meltdown-type attacks have been extended to not only leak data from the L1 cache but also from various other microarchitectural structures, including the FPU register file and store buffer. In this paper, we present the ZombieLoad attack which uncovers a novel Meltdown-type effect in the processor's previously unexplored fill-buffer logic. Our analysis shows that faulting load instructions (i.e., loads that have to be re-issued for either architectural or microarchitectural reasons) may transiently dereference unauthorized destinations previously brought into the fill buffer by the current or a sibling logical CPU. Hence, we report data leakage of recently loaded stale values across logical cores. We demonstrate ZombieLoad's effectiveness in a multitude of practical attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves. We discuss both short and long-term mitigation approaches and arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack on current processors.
NurtureToken New!

Token crowdsale for this paper ends in

Buy Nurture Tokens

Authors

Are you an author of this paper? Check the Twitter handle we have for you is correct.

Michael Schwarz (edit)
Moritz Lipp (edit)
Daniel Moghimi (edit)
Jo Van Bulck (edit)
Julian Stecklina (add twitter)
Thomas Prescher (add twitter)
Daniel Gruss (edit)
Ask The Authors

Ask the authors of this paper a question or leave a comment.

Read it. Rate it.
#1. Which part of the paper did you read?

#2. The paper contains new data or analyses that is openly accessible?
#3. The conclusion is supported by the data and analyses?
#4. The conclusion is of scientific interest?
#5. The result is likely to lead to future research?

Github
User:
Stargazers:
545
Forks:
69
Open Issues:
2
Network:
69
Subscribers:
30
Language:
C
Proof-of-concept for the ZombieLoad attack
Youtube
Link:
None (add)
Views:
0
Likes:
0
Dislikes:
0
Favorites:
0
Comments:
0
Other
Sample Sizes (N=):
Inserted:
Words Total:
Words Unique:
Source:
Abstract:
None
05/14/19 06:01PM
14,890
3,692
Tweets
takayaZ: https://t.co/Tnr94nYjI8 https://t.co/CnioABkbQS ぶくま
it4sec: ZombieLoad attack which uncovers a novel Meltdown-type effect in the processor's previously unexplored fill-buffer logic https://t.co/P9S7L1pJ07
cynicalsecurity: M. Schwarz et al., “ZombieLoad: Cross-Privilege-Boundary Data Sampling” […faulting load instructions may transiently dereference unauthorized destinations previously brought into the fill buffer by the current or a sibling logical CPU…] https://t.co/D7QG9BCGBY
Images
Related