Projekte pro Jahr
Abstract
The recent Spectre attack first showed how to inject incorrect branch targets into a victim domain by poisoning microarchitectural branch prediction history. In this paper, we generalize injection-based methodologies to the memory hierarchy by directly injecting incorrect, attacker-controlled values into a victim’s transient execution. We propose Load Value Injection (LVI) as an innovative technique to reversely exploit Meltdowntype microarchitectural data leakage. LVI abuses that faulting or assisted loads, executed by a legitimate victim program, may transiently use dummy values or poisoned data from various microarchitectural buffers, before eventually being re-issued by the processor. We show how LVI gadgets allow to expose victim secrets and hijack transient control flow. We practically demonstrate LVI in several proof-of-concept attacks against Intel SGX enclaves, and we discuss implications for traditional user process and kernel isolation.
State-of-the-art Meltdown and Spectre defenses, including widespread silicon-level and microcode mitigations, are orthogonal to our novel LVI techniques. LVI drastically widens the spectrum of incorrect transient paths. Fully mitigating our attacks requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure on LVI-vulnerable systems. Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation.
State-of-the-art Meltdown and Spectre defenses, including widespread silicon-level and microcode mitigations, are orthogonal to our novel LVI techniques. LVI drastically widens the spectrum of incorrect transient paths. Fully mitigating our attacks requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure on LVI-vulnerable systems. Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation.
Originalsprache | englisch |
---|---|
Titel | Proceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020 |
Herausgeber (Verlag) | IEEE |
Seiten | 54-72 |
Seitenumfang | 19 |
Band | 1 |
ISBN (elektronisch) | 978-1-7281-3497-0 |
DOIs | |
Publikationsstatus | Veröffentlicht - 18 Mai 2020 |
Veranstaltung | 41st IEEE Symposium on Security and Privacy - Virtuell, USA / Vereinigte Staaten Dauer: 18 Mai 2020 → 20 Mai 2020 |
Publikationsreihe
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Band | 2020-May |
ISSN (Print) | 1081-6011 |
Konferenz
Konferenz | 41st IEEE Symposium on Security and Privacy |
---|---|
Kurztitel | SP 2020 |
Land/Gebiet | USA / Vereinigte Staaten |
Ort | Virtuell |
Zeitraum | 18/05/20 → 20/05/20 |
ASJC Scopus subject areas
- Software
- Sicherheit, Risiko, Zuverlässigkeit und Qualität
- Computernetzwerke und -kommunikation
Fingerprint
Untersuchen Sie die Forschungsthemen von „LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection“. Zusammen bilden sie einen einzigartigen Fingerprint.Projekte
- 2 Abgeschlossen
-
Dessnet - Zuverlässige, sichere und zeitnahe Sensornetzwerke
Mangard, S. (Teilnehmer (Co-Investigator)), Glanzer, C. (Teilnehmer (Co-Investigator)), Görtschacher, L. J. (Teilnehmer (Co-Investigator)), Bösch, W. (Teilnehmer (Co-Investigator)), Grosinger, J. (Teilnehmer (Co-Investigator)), Fischbacher, R. B. (Teilnehmer (Co-Investigator)), Deutschmann, B. (Teilnehmer (Co-Investigator)) & Shetty, D. (Teilnehmer (Co-Investigator))
1/06/17 → 31/05/21
Projekt: Forschungsprojekt
-
EU - SOPHIA - Absicherung von Software gegen Physische Angriffe
Mangard, S. (Teilnehmer (Co-Investigator))
1/09/16 → 31/12/21
Projekt: Forschungsprojekt