

# ZombieLoad

#### Cross-Privilege-Boundary Data Sampling

Michael Schwarz, Moritz Lipp, **Daniel Moghimi**, Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss

#### whoami



- Daniel Moghimi (@danielmgmi)
- Computer Security *since 2010* 
  - Reverse Engineering
  - Binary Analysis
  - Application Security
- PhD Student since 2017
  - Microarchitectural Security
  - Side Channels
  - Breaking Cryptographic Implementations





#### Background: Cache Attacks – Cache Memory



## Background: Cache Attacks – Cache Miss









#### **Background: Cache Attacks**







#### **Background: Cache Attacks**



### Background: Cache Attacks – Cache Hit



Background: Cache Attacks – Cache Hit



#### \_\_\_\_\_\_







\_\_\_\_\_\_







char secret = \*(char \*) 0xfffffff81a0123;



## char secret = \*(char \*) 0xffffff81a0123; printf("%c\n", secret);





char secret = \*(char \*) 0xfffffff81a0123;









char secret = \*(char \*) 0xfffffff81a0123;



Virtual Address Space







Virtual Address Space



















 Virtual Address Space

 Oracle

 Oser Space

 Oxf...81a0123































Virtual Address Space







- Can we do Meltdown with other faults/microcode-assists?
- Which part of the CPU leak the data?!

- Can we still leak somebody's data?
  - KPTI
  - Meltdown-resistant CPUs, .e.g. Coffee Lake







mov (%rsi), %rax











**mov** 0x401234, %rsi

mov (%rsi), %rax











mov (%rsi), %rax



|                 | Core      |   |
|-----------------|-----------|---|
|                 | L1D Cache |   |
|                 |           |   |
|                 |           |   |
|                 |           |   |
|                 | LFB       |   |
|                 |           |   |
|                 | L2        |   |
| $\overline{\ }$ |           | / |





L3 DRAM





## ZombieLoad – How does CPU Work these days?



## ZombieLoad – How does CPU Work these days?



DRAM















char secret = \*(char \*) 0xfffffff81a0123;







char secret = \*(char \*) 0xffffff81a0123;















char secret = \*(char \*) 0xffffff81a0123;

| L3   |  |
|------|--|
| DRAM |  |







## ZombieLoad – Microcode Assist on 'A'Bit





### Access Bit

- CPU tells  $\rightarrow$  OS: A page has been accessed by setting the 'A' Bit
- OS tells  $\rightarrow$  CPU: A page has not been accessed (just allocated) by clearing the bit
- 'A' Bit Microcode Assist
  - Microcode Assists: The CPU executes an internal event handler to service complex instructions/operations
  - The microcode assist flushes the pipeline.
  - Intel CPUs set 'A' bit using a microcode assist

#### \_\_\_\_\_

ZombieLoad VS. other Meltdown-Style Attacks



## What can we do with this data leakage?



- Architecturally
  - Attack across Process Context Switches
  - Attack across Simultaneous Multithreading (SMT) AKA. Intel Hyperthreading

### Scenarios:

- Cross-Process
- Cross-VM
- Intel SGX



- We may leak bytes of data from other unimportant fill buffer entries
- Leak domino bytes to perform error correction

| Target<br>Secret | 11010011 | 01111111 | 01111111 | ••• |
|------------------|----------|----------|----------|-----|
|------------------|----------|----------|----------|-----|



- We may leak bytes of data from other unimportant fill buffer entries
- Leak domino bytes to perform error correction





- We may leak bytes of data from other unimportant fill buffer entries
- Leak domino bytes to perform error correction





- We may leak bytes of data from other unimportant fill buffer entries
- Leak domino bytes to perform error correction



- We may leak bytes of data from other unimportant fill buffer entries
- Leak domino bytes to perform error correction



zombieload : zsh — Konsole <2>

 $\otimes \vee \wedge \otimes$ 

File Edit View Bookmarks Settings Help

michael@hp /tmp/zombieload % 🗌

>

>



- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS



- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS

```
sgx-step mov
add
xor
mov 0x4142434445464748, %rax
call
nop
jmp
```



- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS





- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS





- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS





- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS





- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS



- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS



- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS





- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a malicious OS
- Repeated Context Switch in the transient domain w/ the same register values

## Is there any Mitigation?



### Short-term

- Intel suggested an instruction sequence to fill all the buffers across context switch
- Disable hyperthreading
- Intel SGX: Remote attestation to Verify hyperthreading is Disabled
- Long-term
  - Microarchitectural hardware fixes (Buy new CPUs !! ③)

GRAZ UNIVERSITY OF TECHNOLOGY PRESENTS IN COLLABORATION WITH WORCESTER POLYTECHNIC INSTITUTE, KU LEUVEN, AND CYBERUS TECHNOLOGY AN ACM CCS 2019 PAPER "ZOMBIELOAD: CROSS-PRIVILEGE-BOUNDARY DATA SAMPLING" WRITTEN MICHAEL SCHWARZ, MORITZ LIPP, DANIEL MOGHIMI, JO VAN BULCK, JULIAN STECKLINA, THOMAS PRESCHER, DANIEL GRUSS

https://zombieloadattack.com/

DANIEL MOGHIMI

@misc0110 @danielmgmi

MICHAEL SCHWARZ

MORITZ

JO VAN BULCK

@jovanbulck

đ