The transient-execution attack Meltdown leaks sensitive information by transiently accessing inaccessible data during out-of-order execution. Although Meltdown is fixed in hardware for recent CPU generations, most currently-deployed CPUs have to rely on software mitigations, such as KPTI. Still, Meltdown is considered non-exploitable on current systems.
In this paper, we show that adding another layer of indirection to Meltdown transforms a transient-execution attack into a side-channel attack, leaking metadata instead of data. We show that despite software mitigations, attackers can still leak metadata from other security domains by observing the success rate of Meltdown on non-secret data. With LeakIDT, we present the first cache-line granular monitoring of kernel addresses. LeakIDT allows an attacker to obtain cycle-accurate timestamps for attacker-chosen interrupts. We use our attack to get accurate inter-keystroke timings and fingerprint visited websites. While we propose a low-overhead software mitigation to prevent the exploitation of LeakIDT, we emphasize that the side-channel aspect of transient-execution attacks should not be underestimated.
History
Preferred Citation
Daniel Weber, Fabian Thomas, Lukas Gerlach, Ruiyi Zhang, Michael Schwarz. Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks. In: ESORICS. 2023.
Primary Research Area
Trustworthy Information Processing
Name of Conference
European Symposium on Research in Computer Security (ESORICS)
Legacy Posted Date
2023-08-17
Open Access Type
Repository
BibTeX
@inproceedings{cispa_all_4011,
author = {Daniel Weber AND Fabian Thomas AND Lukas Gerlach AND Ruiyi Zhang AND Michael Schwarz},
title = {Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks},
booktitle = {ESORICS},
year = {2023}
}