Academic researchers from Vrije Universiteit Amsterdam have demonstrated that transient execution CPU vulnerabilities are practical to exploit in real-world scenarios to leak memory from VMs running on public cloud services.
The research shows that L1TF (L1 Terminal Fault), also known as Foreshadow, a bug in Intel processors reported in January 2018, and half-Spectre, gadgets believed unexploitable on new-generation CPUs, as they cannot directly leak secret data, can be used together to leak data from the public cloud.
Last month, the academics reported L1TF Reloaded (PDF), a vulnerability that combines L1TF and half-Spectre to bypass commonly deployed software mitigations and leak sensitive data from the hypervisor and a co-tenant on Google Cloud.
“Using a novel technique based on pointer chasing through the host and guest, we leak all information required to manually perform two-dimensional page table walks in software; with this, we can translate arbitrary virtual guest addresses to host physical addresses, enabling the leakage of any byte in the memory of the victim via L1TF,” the academics note.
L1TF was disclosed in 2018 on the same day that the notorious Spectre and Meltdown vulnerabilities became public, and leads to the same outcome: an attacker can retrieve secret data that the CPU might accidentally access when executing instructions, and which is cached in memory.
While the real-world impact of these flaws has been minimal, because an attacker would require remote code execution capabilities to trigger the relevant instructions in the CPU, L1TF Reloaded demonstrates that the attack is practical against public cloud providers, which essentially provide their customers “remote code execution as a service”, the academics argue.
In the cloud, customers’ virtualized systems run isolated on the same hardware, and should be considered untrusted, requiring all reasonable mitigations against transient execution vulnerabilities like Spectre.
The researchers conducted their tests on a sole-tenant node on Google Cloud and demonstrated they could “leak the TLS key of a Nginx server in a victim VM under noisy conditions, without detailed knowledge of either host or guest” in an average time of 14.2 hours.
The academics’ attack targeted a half-Spectre gadget in Linux’s KVM subsystem to speculatively load data from RAM into the L1 cache, and then exploited L1TF to leak the secret data from the L1 cache.
Essentially, from a malicious VM, they were able to leak data from the host OS to identify other VMs running on the machine, from guest OSes to leak what processes are running on the victim VMs, and then leak a private TLS key from the Nginx server.
The academics also conducted their attack against AWS cloud, where they were able to leak only non-sensitive host data, due to in-depth defenses.
Google, which provided the academics with the sole-tenant node to run their tests, awarded the researchers a $151,515 reward, the highest tier for the Google Cloud VRP, noting this is the first time it hands out a reward at this level.
“With our attack, we demonstrate that mitigating transient execution vulnerabilities in isolation is not effective when their exploitation can be combined to not only circumvent existing defenses but yield powerful attack primitives. Mitigations such as XPFO and process-local memory (as shown by AWS), and proposed mitigations such as address space isolation or a secret-free hypervisor, would have prevented this attack from occurring,” the researchers say.
Related: Rowhammer Attack Demonstrated Against DDR5
Related: VMScape: Academics Break Cloud Isolation With New Spectre Attack
Related: Researchers Resurrect Spectre v2 Attack Against Intel CPUs
Related: Chipmaker Patch Tuesday: Intel, AMD, Arm Respond to New CPU Attacks
