[论文解读] Fallout: Reading Kernel Writes From User Space
Fallout 是一种短时执行攻击,通过缓存行缓冲区将内核写入的数据泄漏到用户空间,绕过 Meltdown 风格的防御并实现内核数据泄漏和 KASLR 的去随机化。
Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.
研究动机与目标
- Motivate understanding of transient execution attacks beyond Meltdown and Foreshadow.
- Demonstrate a novel vulnerability in the store buffer forwarding (WTF) that leaks privileged data.
- Show how Fallout can reconstruct recently written kernel data from user space and derandomize kernel addresses.
- Assess the impact across Intel architectures and identify microcode-assisted transient execution risks.
提出的方法
- Describe the WTF (Write Transient Forwarding) optimization in the store buffer.
- Explain how a faulty load transiently forwards a value from a preceding store when partial address matches occur.
- Demonstrate exploitation via a fault-inducing load and a cache covert channel (Flush+Reload).
- Characterize hardware behavioral dependencies across architectures (Pre Coffee Lake R vs Coffee Lake R).
- Experimentally measure store buffer size and how hyper-threading affects partitioning of store buffers.]
- research_questions:[
- Can unprivileged user processes read data recently written by the kernel using the WTF optimization?
- Do hardware defenses (Meltdown-style mitigations) protect against Fallout across Intel generations?
- Can Fallout derandomize Kernel Address Space Layout Randomization (KASLR)?
- How do architecture and microcode assists influence the viability of Fallout across CPU generations?
实验结果
研究问题
- RQ1Can unprivileged user processes read data recently written by the kernel using the WTF optimization?
- RQ2Do hardware defenses (Meltdown-style mitigations) protect against Fallout across Intel generations?
- RQ3Can Fallout derandomize Kernel Address Space Layout Randomization (KASLR)?
- RQ4How do architecture and microcode assists influence the viability of Fallout across CPU generations?
主要发现
- Fallout 通过利用存储缓冲区和 Write Transient Forwarding (WTF) 使从用户空间读取内核写入的值成为可能。
- Coffee Lake R 显示出回归,在该代中需要某些故障抑制机制才能让 WTF 泄漏,与早期代不同。
- 该攻击可以去随机化内核地址,破坏 KASLR 保护。
- 在 Skylake 时代架构上,存储缓冲区大小与 56 个条目一致,且已确认超线程之间的分区。
- 微码协助可以在与故障异常无关的情况下触发短时执行,扩展潜在的攻击面。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。