ZombieLoad: Cross Privilege-Boundary Data Leakage

ZombieLoad is a novel category of side-channel attacks which we refer to as data-sampling attack. It demonstrates that faulting load instructions can transiently expose private values of one Hyperthread sibling to the other. This new exploit is the result of a collaboration between Michael Schwarz, Daniel Gruss and Moritz Lipp from Graz University of Technology, Thomas Prescher and Julian Stecklina from Cyberus Technology, Jo Van Bulck from KU Leuven, and Daniel Moghimi from Worcester Polytechnic Institute.

In this article, we summarize the implications and shed light on the different attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves, and give advice over possible ways to mitigate such attacks.

Implications

A short summary of what this security vulnerability means:

  • By exploiting the CPU’s so-called bypass logic on return values of loads, it is possible to leak data across processes, privilege boundaries, Hyperthreads, as well as values that are loaded inside Intel SGX enclaves, and between VMs.
  • Code utilizing this exploit works on Windows, Linux, etc., as this is not a software- but a hardware issue.
  • It is possible to retrieve content that is currently being used by a Hyperthread sibling.
  • Even without Hyperthreading, it is possible to leak data out of other protection domains. During experimentation it turned out, that ZombieLoad leaks endure serializing instructions. Such leaks do however work with lower probability and are harder to obtain.
  • It is an implementation detail what kind of data is processed after a faulty read.
  • Using Spectre v1 gadgets, potentially any value in memory can be leaked.
  • Affected software:
    • So far all versions of all operating systems (Microsoft Windows, Linux, MacOS, BSDs, …)
    • All hypervisors (VMWare, Microsoft HyperV, KVM, Xen, Virtualbox, …)
    • All container solutions (Docker, LXC, OpenVZ, …)
    • Code that uses secure SGX enclaves in order to protect critical data.
  • Affected CPUs:
    • Intel Core and Xeon CPUs
    • CPUs with Meltdown/L1TF mitigations are affected by fewer variants of this attack.
    • We were unable to reproduce this behavior on non-Intel CPUs and consider it likely that this is an implementation issue affecting only Intel CPUs.
  • Sole operating system/hypervisor software patches do not suffice for complete mitigation:
    • Similar to the L1TF exploit, effective mitigations require switching off SMT (Simultaneous MultiThreading, aka Hyperthreads) or making sure that trusted and untrusted code do not share physical cores.

To read the full article, click here.

  • vulnerability, intel, zombieload, server, VPS
  • 1 Users Found This Useful
Was this answer helpful?

Powered by WHMCompleteSolution