CAPEC-696: Load Value Injection
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.
扩展描述
This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.
执行流程
步骤 1 Explore
[Survey target application and relevant OS shared code libraries] Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.
- Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
步骤 2 Experiment
[Fill microarchitectural buffer with controlled value] The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.
- The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
- The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system
步骤 3 Experiment
[Set up instruction to page fault or microcode assist] The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.
- When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
- When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
- An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
- When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit
步骤 4 Exploit
[Operate on adversary-controlled data] Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.
- Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
- Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.
前提条件
- The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.
- The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads
- The adversary needs the ability to induce page faults or microcode assists on the target system.
- Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state.
所需技能
后果影响
影响范围: Confidentiality
技术影响: Read Data
影响范围: Access Control
技术影响: Bypass Protection Mechanism
影响范围: Authorization
技术影响: Execute Unauthorized Commands
缓解措施
Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.
Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.