Attacks on the newly-disclosed "MDS" hardware vulnerabilities in Intel CPUs
The RIDL and Fallout speculative execution attacks allow attackers to leak private data across arbitrary security boundaries on a victim system, for instance compromising data held in the cloud or leaking your data to malicious websites. Our attacks leak data by exploiting the 4 newly disclosed Microarchitectural Data Sampling (or MDS) side-channel vulnerabilities in Intel CPUs. Unlike existing attacks, our attacks can leak arbitrary in-flight data from CPU-internal buffers (Line Fill Buffers, Load Ports, Store Buffers), including data never stored in CPU caches. We show that existing defenses against speculative execution attacks are inadequate, and in some cases actually make things worse. Attackers can use our attacks to leak sensitive data despite mitigations, due to vulnerabilities deep inside Intel CPUs.
RIDL (Rogue In-Flight Data Load) shows attackers can exploit MDS vulnerabilities to mount practical attacks and leak sensitive data in real-world settings. By analyzing the impact on the CPU pipeline, we developed a variety of practical exploits leaking in-flight data from different internal CPU buffers (such as Line-Fill Buffers and Load Ports), used by the CPU while loading or storing data from memory.
We will present our paper on these attacks at the 40th IEEE Symposium on Security and Privacy, on May 20th 2019.
Fallout demonstrates that attackers can leak data from Store Buffers, which are used every time a CPU pipeline needs to store any data. Making things worse, an unprivileged attacker can then later pick which data they leak from the CPU's Store Buffer.
We show that Fallout can be used to break Kernel Address Space Layout Randomization (KASLR), as well as to leak sensitive data written to memory by the operating system kernel.
Ironically, the recent hardware countermeasures introduced by Intel in recent Coffee Lake Refresh i9 CPUs to prevent Meltdown make them more vulnerable to Fallout, compared to older generation hardware.
RIDL attacks were independently discovered and reported by:
Fallout attacks were independently discovered and reported by:
MDS-class vulnerabilities were also reported by (in alphabetical order):
Our attacks can leak confidential data across arbitrary security boundaries in real-world settings (cloud, browsers, etc.). The reason our attacks are impervious to all the existing defenses against speculative execution attacks is that they can leak in-flight data. Unlike other recent attacks such as Spectre, Meltdown, and Foreshadow which are based on vulnerabilities leaking data from the CPU caches, RIDL and Fallout collect data from internal CPU buffers (Line Fill Buffers, Load Ports, Store Buffers). Intel describes the exploited vulnerabilities as "Microarchitectural Data Sampling" (MDS) - where "sampling" is another way of saying that we can leak in-flight (or "sampled") data from many of these microarchitectural buffers. A total of 4 (MDS) CVEs were assigned by Intel for RIDL ([MFBDS] CVE-2018-12130, [MLPDS] CVE-2018-12127, [MDSUM] CVE-2019-11091) and Fallout ([MSBDS] CVE-2018-12126) exploits.
Most importantly, our research shows that what last year appeared to be exceptional one-time speculative execution bugs are actually systemic, and the problems in modern CPUs may go much deeper than we initially thought. If CPUs have become so complex that chip vendors cannot keep their security under control, hardware vulnerabilities will be the new hunting ground for sophisticated attackers. And we may have no idea how many zero-day hardware vulnerabilities are still up for grabs. If we can no longer trust our hardware, the foundation on which we build all security solutions is crumbling away.
Click on the various components to interact with them. The full interactive version can be found here and the raw SVG can be found here. There is also a more vibrant colored version (the one used in our paper), which can be found here. These diagrams have been made by Stephan van Schaik ( @themadstephan).
Very likely. Our attacks affect all modern Intel CPUs in servers, desktops and laptops. This includes the latest 9th-generation processors, despite their in-silicon mitigations for Meltdown. Ironically, 9th-generation CPUs are more vulnerable to some of our attacks compared to older generation hardware.
Processors from other vendors (AMD and ARM) do not appear to be affected. Official statements from these vendors can be found in the RIDL and Fallout papers.
Multiple teams and researchers independently discovered, studied, and reported MDS-class vulnerabilities and attacks to Intel. Unfortunately, the different timelines (see below), as well as the fine-grained vulnerability classification and embargo strategy enforced by Intel (which coordinated the disclosure process) made proper coordination across teams difficult. The year-long disclosure process (the longest to date) ultimately resulted in independent finders of even closely related MDS-class vulnerabilities to be completely unaware of one another until very late in the process.
At the same time, VUSec would like to thank Intel for sharing the full list of finders in advance -- which was crucial to give proper credit to everyone involved in the disclosure of MDS vulnerabilities in academia and industry -- and for allowing it to share information with all the other academic finders as of May 1. We made an effort to coordinate the different academic finders and present a unified message to the community and the public.
Unfortunately, as some teams felt unable to share their findings before the May 14 disclosure date, this effort was only partially successful, resulting in the present website (mdsattacks.com) presenting only the two independent RIDL and Fallout papers. See the timeline below for more information.
MDS attacks exploit hardware security flaws deep inside the processor and this makes malware that exploit MDS vulnerabilities very hard to distinguish from benign software. While anti-virus software could theoretically detect MDS exploits, it is very unlikely to happen in practice.
Intel has provided CPU microcode updates, and recommendations for mitigation strategies for operating system (and hypervisor) software. See Intel's Security Advisory for more details. We recommend you install the software updates provided by your operating system and/or hypervisor vendor.
In addition, we recommend disabling Simultaneous Multi-Threading (SMT), also known as Intel® Hyper-Threading Technology, which significantly reduces the impact of MDS-based attacks without the cost of more complex mitigations. Note that you might still be vulnerable despite disabling SMT, as MDS does not strictly rely on the presence of SMT.
A Virtual Machine (VM for short) is a software emulation of the computer's physical hardware. VMs are often used by clouds to allow customers to rent time on the cloud's physical hardware, rather than maintaining their own infrastructure. As clouds often run multiple VMs from different clients on the same physical hardware, it is important that cloud vendors maintain isolation between VM (security) boundaries.
To guarantee even stronger isolation (e.g., with protection against a compromised operating system), cloud providers can also run software inside secure (SGX) enclaves.
As shown in the RIDL paper, an attacker can exploit hardware security vulnerabilities inside the processor to break VM and SGX boundaries. However, countermeasures deployed by cloud providers resulting from our work should make MDS hard to exploit.
The kernel is the operating system core, and as such is responsible for most operations performed by the operating system. In particular, the kernel has access to all the data stored in the machine's memory, and to the secrets in it. As such, it is vital to properly isolate the kernel from other applications running on the machine.
Both the RIDL and Fallout attacks violate the kernel privacy by extracting information from within it. Moreover, both attacks can expose the kernel's location in the system's memory, simplifying other exploits.
RIDL and Fallout are related to, and inspired by, previous speculative execution attacks, including Spectre and Meltdown. In contrast to previous attacks, MDS attacks do not need to make assumptions about the memory layout of the victim data and do not depend on the processor cache.
This makes our attacks very difficult to mitigate. For instance, RIDL's ability to observe data used by other code running on the same physical core (hyperthread) is not trivial to mitigate without disabling the hyperthreading functionality entirely. However, note that both RIDL and Fallout can read recently accessed data across security boundaries even if hyperthreading is disabled.
A detailed analysis of the many existing speculative execution vulnerabilities, their relationship to each other and to RIDL and Fallout, can be found in the RIDL and Fallout papers.
Detailed information about these in-flight buffers can be found in the papers above.
As a quick preview, the first diagram below shows the relevant parts of Intel's CPU pipeline and the relationship to the Line Fill Buffers, Load Ports, and Store Buffers used by our attacks. All data read/written from/to memory goes through some of these buffers.
The second diagram shows an example of how we leak data from these buffers. We perform a carefully crafted speculative load to an address the CPU is not immediately prepared to handle (e.g., resulting in a page fault). This lures the CPU into incorrectly pulling in-flight data from the target buffers, and then similarly to other speculative execution attacks, we leak this data using a Flush+Reload attack before the CPU realizes the mistake.
While performing some experiments on a rainy Amsterdam day, we realized we were able to leak data across security boundaries. We knew we could leak arbitrary in-flight (the "I" in RIDL) data but the cause was initially a big riddle to us. We came to know we were leaking from various CPU buffers only later...
It is also a reference to Intel's formal name for Meltdown: RCDL (related to RIDL, but instead leaking "C"ached data).
Internally, we referred to RIDL (and MDS in general) as the `cat pictures' vulnerability. :)
We started working on Fallout imminently after Meltdown, and Fallouts are typically a direct consequence of Meltdowns.
The following is the fine-grained vulnerability classification adopted by Intel, together with their CVSS score (their rating of the severity of the bug):
CVE-2018-12126: "Microarchitectural Store Buffer Data Sampling (MSBDS)" (CVSS score 6.5: Medium). See the Fallout paper for more information.
CVE-2018-12127: "Microarchitectural Load Port Data Sampling (MLPDS)" (CVSS score 6.5: Medium). See the RIDL paper for more information.
CVE-2018-12130: "Microarchitectural Fill Buffer Data Sampling (MFBDS)" (CVSS score 6.5: Medium). See the RIDL paper for more information.
CVE-2019-11091: "Microarchitectural Data Sampling Uncacheable Memory (MDSUM)" (CVSS score 3.8: Low). See the RIDL paper for more information.
Kaveh Razavi will do the first public presentation of RIDL at the 1st AMSEC Workshop: Security in Diversity on May 15th at 14:15. Registration is free!
We will present our paper on RIDL at the 40th IEEE Symposium on Security and Privacy, on May 20th 2019 (Session #1: Hardware Security). In the meantime, have a look at our teaser video:
Based on the information shared with us by Intel and other finders.
The finders would also like to acknowledge all the other authors on the Fallout paper.