Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs

Michael Schwarz, Claudio Canella, Lukas Giner, Daniel Gruss

Research output: Working paper

Abstract

Meltdown and Spectre exploit microarchitectural changes the CPU makes during transient out-of-order execution. Using side-channel techniques, these attacks enable leaking arbitrary data from memory. As state-of-the-art software mitigations for Meltdown may incur significant performance overheads, they are only seen as a temporary solution. Thus, software mitigations are disabled on more recent processors, which are not susceptible to Meltdown anymore. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to the original Meltdown attack. We show that the store buffer---a microarchitectural optimization to reduce the latency for data stores---in combination with the TLB enables powerful attacks. We present several ASLR-related attacks, including a KASLR break from unprivileged applications, and breaking ASLR from JavaScript. We can also mount side-channel attacks, breaking the atomicity of TSX, and monitoring control flow of the kernel. Furthermore, when combined with a simple Spectre gadget, we can leak arbitrary data from memory. Our paper shows that Meltdown-like attacks are still possible, and software fixes are still necessary to ensure proper isolation between the kernel and user space.
Original languageEnglish
Publication statusPublished - 14 May 2019

Publication series

NamearXiv.org e-Print archive
PublisherCornell University Library

Keywords

  • cs.CR

Cite this