information about a new class of attacks (Load Value Injection, ) to the speculative execution mechanism in Intel CPUs, which can be used to leak keys and secrets from Intel SGX enclaves and other processes.
A new class of attacks is based on manipulations with the same microarchitectural structures as in attacks (Microarchitectural Data Sampling), . At the same time, new attacks are not blocked by existing methods of protection against Meltdown, Specter, MDS and other similar attacks. Effective protection against LVI requires hardware modifications to the CPU. When organizing protection programmatically, by adding the LFENCE instruction by the compiler after each memory load operation and replacing the RET instruction with POP, LFENCE and JMP, too much overhead is fixed - according to researchers, full software protection will lead to a decrease in performance by 2-19 times.
Partially, the difficulty of blocking the problem is compensated by the fact that at present the attack is more theoretical than practical (the attack is theoretically possible, but very difficult to implement and reproducible only in synthetic tests).
Intel the problem has a moderate level of danger (5.6 out of 10) and updating the firmware and SDK for the SGX environment, in which it tried to block the execution of the attack by a roundabout way. The proposed attack methods are currently applicable only to Intel processors, but the possibility of LVI adaptation for other processors, to which Meltdown class attacks are applicable, is not ruled out.
The problem was identified in April last year by researcher Jo Van Bulck from the University of Leuven, after which, with the participation of 9 researchers from other universities, five basic attack methods were developed, each of which allows the existence of more specific . Regardless, in February of this year, Bitdefender researchers also one of the variants of the LVI attack and reported it to Intel. Attack variants differ in the use of various microarchitectural structures, such as the storage buffer (SB, Store Buffer), the fill buffer (LFB, Line Fill Buffer), the FPU context switch buffer, and the first level cache (L1D), previously used in such attacks as , , , , ΠΈ .
The basic one The LVI from MDS attacks is that MDS manipulates the definition of the contents of microarchitectural structures remaining in the cache after speculative exception handling (fault) or load and store operations, while
LVI attacks make it possible to achieve the substitution of the attacker's data into microarchitectural structures in order to influence the subsequent speculative execution of the victim's code. Using these manipulations, an attacker can extract the contents of private data structures in other processes while executing certain code on the target CPU core.
For in the code of the victim process special code sequences (gadgets) in which an attacker-controlled value is loaded, and loading this value causes an exception (fault, abort, or assist) to be thrown that discards the result and re-executes the instruction. When handling an exception, a speculative window occurs, during which the data being processed in the gadget is leaked. In particular, the processor starts executing a piece of code (gadget) in the speculative mode, then determines that the prediction was not justified and rolls back the operations to their original state, but the data processed in the process of speculative execution settles in the L1D cache and microarchitectural buffers and is available for extraction from them with using well-known methods for determining residual data through third-party channels.
The "assist" exception, unlike the "fault" exception, is handled internally by the processor without calling software handlers. Assist can occur, for example, when you need to update the A (Accessed) or D (Dirty) bit in the memory page table. The main difficulty in attacking other processes is how to trigger the occurrence of assist by manipulating the victim's process. Currently there are no reliable ways to do this, but in the future they are not ruled out. The possibility of an attack has so far been confirmed only for Intel SGX enclaves, the rest of the scenarios are theoretical or reproducible in synthetic conditions (requires adding certain gadgets to the code)
Possible attack vectors:
- Leakage of data from kernel structures to a user-level process. The Linux kernel's Specter 1 attack protection and SMAP (Supervisor Mode Access Prevention) protection mechanism significantly reduce the likelihood of an LVI attack. Adding additional security to the kernel may be required as simpler methods of LVI attacks are discovered in the future.
- Data leakage between different processes. The attack requires the presence of certain code fragments in the application and the definition of a method for throwing an exception in the target process.
- Leakage of data from the host environment to the guest system. The attack is categorized as too complex, requiring various hard-to-implement steps and predictions of activity in the system.
- Data leak between processes in different guest systems. The attack vector is close to organizing a data leak between different processes, but additionally requires complex manipulations to bypass isolation between guest systems.
Researchers published with a demonstration of the principles of the attack, but they are not yet suitable for real attacks. The first example allows you to redirect speculative code execution in the victim process, similar to return-oriented programming (, Return-Oriented Programming). In this example, a specially prepared process containing the necessary gadgets acts as a victim (it is difficult to apply an attack to real third-party processes). The second example allows you to wedge into the calculations when encrypting AES inside the Intel SGX enclave and organize data leakage during the speculative execution of instructions to restore the value of the key used for encryption.
Source: opennet.ru