Single Instruction Multiple Data Leaks in Cutting-edge CPUs, AKA Downfall

We introduce Downfall attacks, new transient execution attacks that undermine the security of computers running everywhere across the internet. We exploit the "Gather" instruction on high-performance Intel CPUs to leak data across boundaries of user-kernel, processes, virtual machines, and trusted execution environments. Our findings, exploitation techniques, and demonstrated attacks defeat all previous defenses, calling for critical hardware fixes and security updates for widely used client and server computers.

In this talk, we first discuss the SIMD Gather instruction, how to exploit it to leak data from internal physical CPU registers via Gather Data Sampling (GDS) and how this vulnerability affects various instructions and workloads. Since these physical registers are shared across users, we can steal data from users of the same computer. We demonstrate end-to-end key-stealing attacks, stealing 128-bit and 256-bit AES keys from OpenSSL.

Second, we talk about how to use GDS to steal data not accessed by a target program. Some instructions prefetch data to physical hardware registers even if the program does not access them. In particular, the "rep mov" instruction prefetches out-of-bound data, which we can leak with the GDS technique. Based on this finding, we identify several gadgets to steal arbitrary data from a target application address space, as demonstrated by a POC attack against the Linux Kernel.

Third, we introduce the Gather Value Injection (GVI) attack by turning this vulnerability into speculative data injection. We identify codes that are vulnerable to GVI, which enables the leaking of OOB data from a target application.

Finally, we show that Intel SGX is also affected, discuss our attack on stealing the sealing key of secure enclaves, and wrap up by discussing mitigation options and key takeaways.

By: Daniel Moghimi From Black hat USA 2023 https://www.youtube.com/watch?v=JLHh_oViXl8

Full Abstract and Presentation Materials https://www.blackhat.com/us-23/briefings/schedule/#single-instruction-multiple-data-leaks-in-cutting-edge-cpus-aka-downfall-31490

Source Downfall Attacks page https://downfall.page/