Fallout: Reading Kernel Writes From User Space
Abstract
Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.
Keywords
Cite
@article{arxiv.1905.12701,
title = {Fallout: Reading Kernel Writes From User Space},
author = {Marina Minkin and Daniel Moghimi and Moritz Lipp and Michael Schwarz and Jo Van Bulck and Daniel Genkin and Daniel Gruss and Frank Piessens and Berk Sunar and Yuval Yarom},
journal= {arXiv preprint arXiv:1905.12701},
year = {2019}
}