Fallout: Reading Kernel Writes From User Space

TL;DR

Fallout is a new transient execution attack that exploits the store buffer to leak kernel information, bypass kernel address space randomization, and affects multiple processor generations, including recent Intel Coffee Lake R CPUs.

Contribution

The paper introduces Fallout, a novel microarchitectural attack exploiting the store buffer, revealing vulnerabilities in recent hardware defenses and exposing new security risks.

Findings

Fallout can reconstruct privileged kernel data from user space.

Recent Coffee Lake R processors are more vulnerable to Fallout than older generations.

Microcode assists are identified as a cause of transient execution vulnerabilities.

Abstract

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.