A novel speculative execution attack named VMSCAPE allows a malicious virtual machine (VM) to breach its security boundaries and steal sensitive data, like cryptographic keys, directly from its host system.
The vulnerability, identified as CVE-2025-40300, affects a wide range of modern processors, including all current generations of AMD Zen (1 through 5) and Intel’s Coffee Lake CPUs.
Research from a team at ETH Zurich details the first practical guest-to-host Spectre Branch Target Injection (Spectre-BTI) attack that works against unmodified hypervisor software in a default cloud configuration, posing a significant threat to virtualized environments.
VMScape Exploiting Gaps in Virtualization Security
VMSCAPE’s success hinges on the discovery of incomplete isolation within the CPU’s Branch Prediction Unit (BPU). Modern CPUs use branch predictors to execute instructions to improve performance speculatively.
While vendors have implemented hardware mitigations like Enhanced IBRS (eIBRS) and Automatic IBRS (AutoIBRS) to prevent different privilege levels (e.g., user vs. kernel) from influencing each other’s predictions, the researchers found these defenses are too coarse-grained for virtualized settings.
They fail to properly distinguish between four key domains: Host User (HU), Host Supervisor (HS), Guest User (GU), and Guest Supervisor (GS).
The researchers identified a new attack primitive they call vBTIGU→HU, which allows an unprivileged process inside a guest VM to manipulate the BPU state of a user-level process on the host. This effectively creates a loophole in the isolation that is supposed to keep guest and host operations separate.
The attack chain targets QEMU, a popular open-source hypervisor component used with KVM. A malicious actor in a guest VM can “train” the BPU by repeatedly executing specific code patterns.
When the guest triggers a VM-to-host transition (a VMEXIT), the host’s QEMU process takes over.
Due to the poisoned BPU state, QEMU is tricked into speculatively executing a “disclosure gadget” a snippet of its own existing code which accesses sensitive memory. The data is then exfiltrated one byte at a time using a FLUSH+RELOAD cache side-channel attack.
VMScape Exploitation
A key challenge in mounting the attack was achieving a sufficiently large “speculation window” the brief period during which speculative execution occurs.
The researchers overcame this by reverse-engineering the cache architecture of AMD’s Zen 4 and Zen 5 CPUs, developing the first reliable eviction sets for their non-inclusive Last Level Cache (LLC).
This technique delays the resolution of the correct branch path, extending the speculation window and enabling the attack to leak memory from the QEMU process at a rate of 32 B/s.
The full end-to-end exploit, including bypassing Address Space Layout Randomization (ASLR), was demonstrated in under 20 minutes.
Following a responsible disclosure on June 7, 2025, Linux kernel developers have released patches. The mitigation, based on the researchers’ guidance, involves issuing an Indirect Branch Prediction Barrier (IBPB) on VMEXITs just before the system transitions to execute code in the hypervisor’s userspace.
This clears the malicious BPU entries. While performance overhead is marginal (~1%) for most workloads, it can rise to 51% in I/O-heavy scenarios.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
