2019-11-09, 14:30–14:55, Red Day
Meltdown (BlackHat USA 2018) was the first instance of a hardware vulnerability which broke the security guarantees of modern CPUs. Meltdown allowed attackers to leak arbitrary memory by exploiting that Intel CPUs use lazy fault handling and continue transient execution with data retrieved by faulting loads. With stronger kernel isolation, a software workaround to prevent Meltdown attacks, and new CPUs with this vulnerability fixed, Meltdown seemed to be a solved issue.
In this talk, we show that Meltdown is still an issue, on current off-the-shelf CPUs. We present ZombieLoad, a Meltdown-type attack which leaks data across multiple privilege boundaries: processes, kernel, SGX, hyperthreads, and even across virtual machines. We show that Meltdown mitigations do not affect ZombieLoad.
The ZombieLoad attack can be mounted without any user interactions from an unprivileged application, both on Linux and Windows.
To demonstrate the danger of the ZombieLoad attack, we present multiple attacks, such as monitoring the browsing behavior, stealing cryptographic keys, and leaking the root-password hash on Linux. In a live demo, we show that such attacks are not only practical but also easy to mount. We will then discuss mitigations against the ZombieLoad attack.
We outline challenges for future research on Meltdown-type attacks and mitigations. Finally, we will discuss the short-term and long-term implications for hardware vendors, software vendors, and users.
Introduction to Meltdown-type Attacks
We briefly recap the history of Meltdown-type attacks (Meltdown, Foreshadow, LazyFP), their impact, and their current state in terms of mitigations and vulnerable hardware.
We explain transient execution and transient instructions, the basis of all Meltdown attacks. We show how transient execution enabled Spectre and Meltdown attacks and how it was used in previous attacks to leak data.
We introduce ZombieLoad, a novel Meltdown-type attack which works on a wide range of Intel CPUs even in the presence of Meltdown patches. We illustrate how and why ZombieLoad works, and explain how it can be used to leak data across all security boundaries (including the kernel, SGX, hypervisor, and virtual machines).
We present several attacks showing the power of the ZombieLoad attack. The attacks show amongst others how user-behavior can be monitored, data can be leaked, and that even AES-NI keys can be extracted using ZombieLoad.
In a live demo, we demonstrate data leakage with ZombieLoad.
We overview mitigation strategies against ZombieLoad. We discuss both software mitigations as well as the official microcode updates and analyze how effective they are.
Although it was widely believed that Meltdown was a single hardware vulnerability which could be easily fixed, we show that this is not the case and that there are more unfixed variants of Meltdown-type attacks.