New side-channel attack discovered by Bitdefender
A new critical side-channel attack LVI-LFB (Load Value Injection in the Line Fill Buffers) has been discovered
Bitdefender researchers have again identified and created a proof-of-concept for a new side-channel attack.
The attack, dubbed LVI-LFB (Load Value Injection in the Line Fill Buffers) allows an attacker to inject rogue values in certain micro-architectural structures which are then used by the victim, which can lead to revealing secret, protected data across levels of privilege.
This new attack (CVE-2020-0551) affects newer Intel CPUs which use speculative execution.
In the pursuit of ever-faster CPUs, vendors have implemented various versions of speculative execution. This functionality has the CPU making educated guesses about instructions which may be required before determining if they are, in-fact, required. This speculative execution can leave traces in cache which attackers can use to leak privileged, kernel memory.
What makes research into these attacks cutting-edge compared to cyber attacks against more traditional vulnerabilities is that it gets to the root of how modern CPUs operate. To properly investigate, research teams must have a thorough understating of CPU internals (branch prediction, out-of-order execution, speculative execution, pipeline, and caches), OS internals (system calls, interrupt and exception handling and KPTI), and side-channels and speculative-execution attacks in general.
This new attack may be particularly devasting in multi-tenant and multi-workload environments which run on hardware shared between groups of workloads within an organization, or between organizations, such as public- and private-clouds. This is because, as the PoC shows, there is the potential for a lesser-privileged process under attacker control to speculatively hijack control flow in a higher-privileged process, when specific requirements are met.
The most straightforward risk is the theft of secret data which should otherwise be kept private by security boundaries at the hardware, hypervisor, and operating system levels. This information can include anything from encryption keys, to passwords, or other information which an attacker could exfiltrate, or use to gain further control of a targeted system.
This new attack technique is called Load Value Injection, and the CVE assigned to it is CVE-2020-0551.
Researchers have previously looked at MDS (Microarchitectural Data Sampling) from one direction only; the victim accesses the secret, which gets loaded in the MDS buffers, while the attacker leaks the contents of the MDS buffers by issuing a load instruction which requires microcode assists (for example, by reading an invalid address). However, the MDS buffers can also be abused the other way around; if an attacker sprays the MDS buffers with a particular value, a victim may speculatively load that particular value when a load instruction triggers such a microcode assist (for example, the load instruction triggers a fault). By carefully analyzing what Spectre is and what MDS is, a keen eye will quickly identify the root cause of the new, LVI-LFB, vulnerability; an indirect memory branch which requires a microcode assist being fed stale values from the MDS buffers which can be controlled by an attacker, thus leading to speculative arbitrary code execution.
Other attack scenarios have been described by academic researchers who independently discovered and first reported the issue to Intel in April, 2019. Bitdefender reported the issue to Intel on February 10th, 2020. Their response on February 25th acknowledged the issue, and also revealed that public disclosure would occur on March 10th 2020.
The LVI-LFB Attack affects newer Intel CPUs which make use speculative-execution.
Mitigation strategies for hardware-based, side-channel attacks fall under several categories, each with a degree of operational impact on organizations.
The Bitdefender advanced research team would like to credit the researchers who first reported this issue to Intel in April, 2019, and also thank them for their cooperation and collaboration leading-up to (and beyond) the public disclosure of this issue. The academic researchers are:
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens
These researchers have created a dedicated website and detailed academic paper, which are available as follows:
https://lviattack.eu/ (a detailed description of the issue)
https://lviattack.eu/lvi.pdf (an academic whitepaper)
Additional information is also available from Intel, as follows: