Speculative Dereferencing of Registers: Reviving Foreshadow

Schwarzl, Martin and Schuster, Thomas and Schwarz, Michael and Gruss, Daniel
(2021) Speculative Dereferencing of Registers: Reviving Foreshadow.
In: Financial Cryptography and Data Security 2021.
Conference: FC Financial Cryptography and Data Security Conference

[img]
Preview
 Text
specderef.pdf - Published Version
Download (389kB) | Preview

Abstract

In this paper, we provide a systematic analysis of the root cause of the prefetching effect observed in previous works and show that its attribution to a prefetching mechanism is incorrect in all previous works, leading to incorrect conclusions and incomplete defenses. We show that the root cause is speculative dereferencing of user-space registers in the kernel. This new insight enables the first end-to-end Foreshadow (L1TF) exploit targeting non-L1 data, despite Foreshadow mitigations enabled, a novel technique to directly leak register values, and several side-channel attacks. While the L1TF effect is mitigated on the most recent Intel CPUs, all other attacks we present still work on all Intel CPUs and on CPUs by other vendors previously believed to be unaffected.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Schwarz (MS)
Conference: FC Financial Cryptography and Data Security Conference
Depositing User: Michael Schwarz
Date Deposited: 15 Feb 2021 15:49
Last Modified: 15 Feb 2021 15:49
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/3358

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.