Skip to main content

Fallout: leaking data on meltdown-resistant CPUs

Authors

Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Ahmad Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck and Yuval Yarom

University of Michigan

DATA61

Graz University of Technology

KU Leuven

Worcester Polytechnic Institute

The University of Adelaide

Abstract

Meltdown and Spectre enable arbitrary data leakage from memory via various side channels. Short-term software mitigations for Meltdown are only a temporary solution with a significant performance overhead. Due to hardware fixes, these mitigations are disabled on recent processors. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to Meltdown. We identify two behaviors of the store buffer, a microarchitectural resource to reduce the latency for data stores, that enable powerful attacks. The first behavior, Write Transient Forwarding forwards data from stores to subsequent loads even when the load address differs from that of the store. The second, Store-to-Leak exploits the interaction between the TLB and the store buffer to leak metadata on store addresses. Based on these, we develop multiple attacks and demonstrate data leakage, control flow recovery, and attacks on ASLR. Our paper shows that Meltdown-like attacks are still possible, and software fixes with potentially significant performance overheads are still necessary to ensure proper isolation between the kernel and user space.

BibTeX Entry

  @inproceedings{Canella_GGGLMMPSSVY_19,
    author           = {Canella, Claudio and Genkin, Daniel and Giner, Lukas and Gruss, Daniel and Lipp, Moritz and Minkin,
                        Marina and Moghimi, Ahmad and Piessens, Frank and Schwarz, Michael and Sunar, Berk and Van Bulck, Jo
                        and Yarom, Yuval},
    month            = nov,
    date             = {2019-11-13},
    year             = {2019},
    title            = {Fallout: Leaking Data on Meltdown-resistant {CPUs}},
    address          = {London, UK},
    pages            = {769-784},
    booktitle        = {ACM Conference on Computer and Communications Security},
    publisher        = {ACM}
  }

Download

Served by Apache on Linux on seL4.