In 2018, two new types of microarchitectural side-channel attacks were disclosed: Meltdown and Spectre. Meltdown allows an attacker to speculatively access memory that is inaccessible, while Spectre allows an attacker to alter the branch prediction structures in order to gain speculative arbitrary code execution. In 2019, another class of microarchitectural side-channel attacks was disclosed: Microarchitectural Data Sampling, or MDS. It allows an attacker to pick-up in-flight data from various microarchitectural data structures (line fill buffers or LFBs - MFBDS, load ports - MLPDS or store buffers - MSBDS).
This new, LVI-LFB method allows an attacker to inject rogue values in certain microarchitectural structures which are then used by the victim, which can lead to revealing secret, protected data across levels of privilege.
This new attack may be particularly devastating in multi-tenant and multi-workload environments which run on hardware shared between groups of workloads within an organization, or between organizations, such as public- and private-clouds. This is because, as the PoC shows, there is the potential for a lesser-privileged process under attacker control to speculatively hijack control flow in a higher-privileged process when specific requirements are met.
The most straightforward risk is the theft of secret data which should otherwise be kept private by security boundaries at the hardware, hypervisor, and operating system levels. This information can include anything from encryption keys, to passwords, or other information which an attacker could exfiltrate, or use to gain further control of a targeted system.
Mitigation strategies for hardware-based, side-channel attacks fall under several categories, each with a degree of operational impact on organizations.
This is a new attack which takes advantage of performance-centric functionality of modern Intel CPUs. LVI-LFB further breaks-down barriers between trust levels by demonstrating another methodology of attack in this highly advanced field of research.
To take a deep-dive into LVI-LFB, read the whitepaper available here.
To find more resources and information, including the PoC code, consult the information page here.
To read more about recent Bitdefender advanced research in this realm, check-out the SWAPGS Attack.
The Bitdefender advanced research team would like to credit the researchers who first reported this issue to Intel in April, 2019, and also thank them for their cooperation and collaboration leading-up to (and beyond) the public disclosure of this issue. The academic researchers are:
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens
These researchers have created a dedicated website and detailed academic paper, which are available as follows:
Additional information is also available from Intel, as follows:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html (advisory)
https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection (technical deep-dive)
tags
Shaun Donaldson is Editor-at-large at Bitdefender Enterprise. Shaun is also responsible for supporting relationships with strategic alliance partners and large enterprise customers, and analyst relations. Before joining Bitdefender, Mr. Donaldson was involved in various technology alliances, enterprise sales and marketing positions within the IT security industry, including Trend Micro, Entrust, Bell Security Solutions and Third Brigade.
View all postsDon’t miss out on exclusive content and exciting announcements!