Hardware

What is ZombieLoad, the new vulnerability of Intel processors?

The four new vulnerabilities in Intel processors, called ZombieLoad, can only be mitigated by disabling HyperThreading.

Just yesterday four new vulnerabilities were revealed in Intel processors. Together these new vulnerabilities have been called ZombieLoad. This system is a novel Meltdown-type attack for Intel processors that allows the logical units of memory filler to be exploited. The researchers' analysis shows that loading failed instructions can lead to data transmission to unauthorized destinations previously entered in the processor's buffer or logical unit.

They have verified that ZombieLoad across a large number of SGX processors, operating systems, virtualization processes, and enclaves. Researchers have come up with different ways to mitigate this vulnerability. They have come to the conclusion that it can only be corrected by disabling HyperThreading. This is the only mechanism to prevent an extremely strong attack on current processors.

What does the published documentation give us?

The document presented by the researchers details:

  • Presentation of ZombieLoad, a powerful data sampling attack filtering data that can be accessed in it or in HyperThreading
  • Combination of incident data sampling within a transient domain to build a specific information flow similar to regular merge attacks
  • ZombieLoad demo in various real world scenarios: cross-process, cross-VM, user-to-kernel, and SGX
  • Demonstration that ZombieLoad can break the security guarantees provided by Intel SGX
  • Post-processing of filtered data within the transient domain

The researchers also in the documentation highlight that:

  • On March 28, 2018, Intel is given a Proof of Concept of the non-storable memory of a HyperThread.
  • On May 30, 2018, the attribution of the leak to LFB was clarified to Intel. The experiments carried out show that it works the same as Foreshadow (Meltdown-P) undermining the integrity of the mitigations for the L1 cache. It is recognized and certified by Intel as CVE-2019-11091
  • Reported to Intel on April 12, 2019 as proof of a potential attack, recognized and verified by Intel. It is listed as CVE-2018-12130
  • The embargo ends on May 14, 2019

Meltdown precedent

The Meltdown vulnerability present in Intel processors was discovered in 2017 and presented in 2018. This is the first attack that managed to break security at the microarchitectural level. This security breach allows data leakage between the user and the kernel.

Meltdown was corrected by stronger isolation between the user and the kernel. The underlying result of this increased isolation was the possibility of all kinds of transient execution attacks.

Over the last year, researchers have shown that Meltdown-like attacks don't just leak kernel data into user space. This type of attack also offers data leakage through user, virtual processes and links.

You are not only accessing the L1 cache data, filtering this data. You can also access other architectural elements such as the log file, the line filling buffer and recurring work processes such as the storage buffer.

Instruction flow in modern processors

Currently, processors can alter the flow of instructions while maintaining architectural equivalence. This creates an illusion that the machine maintains an order. Instructions that have previously been executed in the processor are also detected, thus raising an exception to avoid executing the instruction.

The instructions following the fault instruction (transient instructions) go backwards. This setback ensures that there are no architectural effects. The side effects could remain in the microarchitectural state. Meltdown data leaks aggressively exploit performance optimizations for out-of-order execution.

Lack of microarchitectural security research

For years the microarchitectural state was considered inevitable for applications, with security considerations limited to the architectural state. Explained in other words, there was no research at the microarchitecture level, everything was focused on the architecture level. Microarchitecture does not have the ability to distinguish between different applications or levels of privilege.

The researchers in the documentation have first verified that there are no unexplored microarchitectural buffers. Second, they have exploited architectural and microarchitectural flaws.

Memory failures at the microarchitectural level mean that a memory request can be internally reissued without being visible from an architectural point of view. This shows that Meltdown attacks can occur without problems without raising an architectural exception such as a page fault.

ZombieLoad Rationale

ZombieLoad researchers have succeeded in allowing a Meltdown attack to be carried out targeting the fill buffer logic. ZombieLoad lets you exploit load instructions without the need for a reissue internally. First, the outdated values ​​that appear from previous memory operations can be temporarily calculated, being from current or past memory.

Using these transient execution techniques, attackers can recover these 'zombie' values ​​established in loading operations. Notably, unlike all known transient execution attacks, ZombieLoad reveals recent data without adhering to any explicit address-based selector.

ZombieLoad can be considered to allow a new microarchitectural data sampling attack. The microarchitectural data sampling of this type of attack is the missing link between conventional attack methods and those based on Schwarz memory.

These attacks map data addresses within a victim's execution and existing Meltdown-type transient execution attacks that can retrieve values ​​directly from data appearing at an explicit address.

Attacks on Intel processors

The documentation demonstrates the implication of these types of attacks in a multitude of practical attack scenarios filtered through processes, privilege limits, and even through processor logic cores.

Researchers have shown that Intel SGX enclave data loaded from a sister logic core can be leaked. They want to perform one of these types of ZombieLoad attack, they can extract the sealing keys from Intel's architectural dating enclave. SGX's remote certification and confidentiality is ultimately broken.

It's not just limited to native code, it also works beyond the limits of virtualization. This allows attacking not only the kernel that contains a virtual machine, but also virtual machines that run on sibling cores.

Thus, researchers have concluded that disabling HyperThreading, in addition to purging different microarchitectural states during context interruptions, is the only thing that can be done to avoid one of these powerful attacks.

ZombieLoad versions

ZombieLoad is a load that triggers an assistive microcode, resulting in a transient load that contains bad data. They refer to this as a zombie charge. Zombie uploads are architectural or microarchitectural failure charges, and therefore cannot be completed, requiring the charge to be reissued later. Different scenarios are identified to create zombie charges for a successful attack. The variants have in common that they abuse the 'clflush' instruction to reliably create the necessary conditions for the fugue.

Version 1. Kernel Mapping

The first variant of ZombieLoad does not require any specific processor features. Only a kernel virtual address is needed, an address that the user can access, but is not configured in the paging table entry.

For the test, a pagination of 2MB in size has been made. This is not to say that a large paging document is needed to exploit this vulnerability, it can be done with 4kB paging. What is required is that the user has read access to the content of the physical page through a different virtual address.

The access configuration through the virtual address accessible by the user provides an architecturally valid way of accessing its contents. It is accessed through a zombie payload kernel address similar to Meltdown requiring microcode assistance.

There are different ways to construct accessible addresses, but they have only been exploited by payloads that originate from kernel mapping.

Version 2: Microcode Assisted Paging Table Tour

We have the variant that allows activating the visit to a paging table assisted by microcodes. Wandering through the partition table requires an access update or dirty bit in the paging table entry to access the microcode wizard.

In this case, a physical paging that has two virtual addresses will be required. This can be easily achieved using a shared memory segment or a memory map file, which is allocated twice in the application.

The first virtual address can be used to access the content of the page architecturally. For the second we will have to clear the access bit in the entry of the paging table. Linux does not allow this in the case of an attacker who does not have privileges, therefore this attack can only be used by an attacker who we assume has privileges. Windows 10 (1803 build 17134.706) has been verified to periodically erase the bits that have been accessed.

Researchers have known that it is the paging replacement algorithm that does this. Thus it is concluded that this attack on the Windows paging table is only for non-privileged users.

When the page is accessed through a second virtual address, the access bit option for the page table entry must be set. This cannot be done by the lost page manager. From a microarchitectural point of view, a load failure occurs and a microcode wizard is activated. It repeats the paging table traversal and sets the access bit.

If the second address is accessed transiently, that is, behind a poorly speculated branch or after an exception, the bit that was accessed cannot be set. The leak like this can not only be exploited once, but it gives unlimited access to the place.

Processors used for the study

Different variants of ZombieLoad have been evaluated on different environments. Sandy Bridge processors (2012 release) up to Cascade Lake (2019 release) have been tested. Researchers have carried out attacks with both variants. ZombieLoad variant 2 has not affected Whiskey Lake, Coffee Lake-Refresh and Cascade Lake-SP processors.

intel zombieload affectation

Note: One processor per Intel architecture in 14nm lithography has been used as representative of the entire family of processors. Whiskey Lake, Coffee Lake Resfresh and Casacade Lake-SP are the newer processors supposedly immune to Meltdown.

Conclusion

ZombieLoad is a novel Meltdown attack system that targets the logic of the processor buffer. Allows the attacker to filter the values ​​recently loaded by the physical or logical cores. It is demonstrated that filtering by user space is allowed on processors, virtual machines and SGX links.

The great attack power can be seen by monitoring browser behavior, extracting AES keys, establishing a cross virtual machine, or recovering SGX sealing keys. Furthermore, it is concluded that the only possibility to mitigate ZombieLoad is to disable HyperThreading.

Show more

Robert Sole

Director of Contents and Writing of this same website, technician in renewable energy generation systems and low voltage electrical technician. I work in front of a PC, in my free time I am in front of a PC and when I leave the house I am glued to the screen of my smartphone. Every morning when I wake up I walk across the Stargate to make some coffee and start watching YouTube videos. I once saw a dragon ... or was it a Dragonite?

Related publications

Leave your comment

Your email address will not be published. Required fields are marked with *

Button back to top
Close

Ad blocker detected

This site is financed through the use of advertising, we always ensure that it is not too intrusive for the reader and we prioritize the reader's experience on the web. But if you block ads, some of our funding will be reduced.