posted on 2023-11-29, 18:10authored byStephan van Schaik, Alyssa Milburn, Sebastian österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
We present Rogue In-flight Data Load
(RIDL)1
, a new class of unprivileged speculative execution attacks to leak arbitrary data across address spaces
and privilege boundaries (e.g., process, kernel, SGX,
and even CPU-internal operations). Our reverse engineering efforts show such vulnerabilities originate from
a variety of micro-optimizations pervasive in commodity (Intel) processors, which cause the CPU to speculatively serve loads using extraneous CPU-internal
in-flight data (e.g., in the line fill buffers). Contrary
to other state-of-the-art speculative execution attacks,
such as Spectre, Meltdown and Foreshadow, RIDL can
leak this arbitrary in-flight data with no assumptions
on the state of the caches or translation data structures
controlled by privileged software.
The implications are worrisome. First, RIDL attacks
can be implemented even from linear execution with
no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system-wide
attacks from arbitrary unprivileged code (including
JavaScript in the browser). To exemplify such attacks,
we build a number of practical exploits that leak
sensitive information from victim processes, virtual
machines, kernel, SGX and CPU-internal components.
Second, and perhaps more importantly, RIDL bypasses
all existing “spot” mitigations in software (e.g., KPTI,
PTE inversion) and hardware (e.g., speculative store
bypass disable) and cannot easily be mitigated even
by more heavyweight defenses (e.g., L1D flushing or
disabling SMT). RIDL questions the sustainability of a
per-variant, spot mitigation strategy and suggests more
fundamental mitigations are needed to contain everemerging speculative execution attacks.
History
Preferred Citation
Schaik van, Alyssa Milburn, Sebastian österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida. RIDL: Rogue In-flight Data Load. In: IEEE Symposium on Security and Privacy (S&P). 2019.
Primary Research Area
Threat Detection and Defenses
Name of Conference
IEEE Symposium on Security and Privacy (S&P)
Legacy Posted Date
2019-06-23
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_2921,
title = "RIDL: Rogue In-flight Data Load",
author = "van Schaik, Stephan and Milburn, Alyssa and österlund, Sebastian and Frigo, Pietro and Maisuradze, Giorgi and Razavi, Kaveh and Bos, Herbert and Giuffrida, Cristiano",
booktitle="{IEEE Symposium on Security and Privacy (S&P)}",
year="2019",
}