Since 2018, we have seen an alarming wave of Meltdown-type attacks: from the original Meltdown, breaking kernel isolation, over Foreshadow, breaking virtual machine and SGX enclave isolation, to most recently ZombieLoad, breaking essentially all of these. All of these attacks exploit CPU vulnerabilities to leak data, breaking basically all confidentiality guarantees of CPUs. Luckily, there are already widely deployed countermeasures -- either in hardware or software -- preventing exploitation of these attacks.
In this talk, we show that despite all countermeasures, the Meltdown effect can be turned around to inject attacker-controlled data into the microarchitectural state of any application. This technique, called Load Value Injection (LVI), smuggles the attacker's data through hidden processor buffers into a victim program and allows to hijack both transient control flow as well as the data flow. By forcing a (microarchitectural) fault in the victim, the victim transiently calculates on maliciously injected data. Especially in the case of trusted execution environments, such as Intel SGX, where an attacker has full control of the operating system, adversaries can easily trigger a fault in the victim and leak arbitrary enclave secrets. We show that this can be exploited for all CPUs that were affected by some variant of Meltdown. As a result, we can bypass existing Meltdown countermeasures, arbitrarily change control flow, and let the application work on attacker-controlled data.
We outline the drastic consequences for affected CPUs. After nearly 1 year of embargo, fully mitigating our attacks requires serializing the processor pipeline with memory fence instructions after possibly every memory load. Additionally and even worse, due to implicit loads on some architectures, specific instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel's compiler mitigations lead to performance impacts of factor 2 to 19. In a demo, we show how LVI can be used to leak a cryptographic key.
For more information about our work, including demo videos and a trailer, see:
A technical paper about this work appeared at IEEE S&P 2020 and is available here: