11.1: Transient Execution Attacks

Transient Execution Attacks

An unprivileged process on a computer that attacks other process or the kernel.

Transient Execution Attack - Example

A CPU may execute two instructions concurrently, even if we expect them to run one after the other - TEAs exploit vulnerabilities within the microcode that allows this.

• One line may raise an exception, but the following line still runs.

• If this following line makes a memory read, the CPU would ideally stop this from happening.

• The exception is only raised as the code terminates.

Meltdown

A transient execution attack affecting the majority of CPUs from Intel, Apple, etc., breaking down the isolation between programs and the OS.

Meltdown - Exploit Example

• Load a kernel address - succeeds transiently but later raises an exception

• Use the loaded byte, x, to index into the probe array

• The exception arrives, with the CPU rolling back the changes made to memory locations

• The cache state reveals x was accessed using Flush+Reload

Meltdown - Exploit Requirements

• Exception suppression (with a custom signal handler and setjmp)

• Target data to be cached

• Also needs repeating since it’s not a deterministic process

Spectre

A transient execution attack that tricks other applications into leaking secrets with speculative execution.

Spectre - Attack Process

• The CPU will attempt to guess if a particular branch will be executed or not.

  • It is speculatively executed if it predicts the branch passes, but rolls it back if it was wrong

• Train the branch predictor to expect a branch to execute (e.g. executing many times with x < N).

• Then, we trick the rock! (execute with x >= N)

• Then we can leak out-of-bounds reads within the cache.