Reviving Meltdown 3a

TL;DR

This paper investigates Meltdown 3a (Meltdown-CPL-REG), revealing its varied impact across CPUs, including recent AMD processors, and demonstrates its potential for persistent exploits despite patches.

Contribution

The study provides a comprehensive analysis of Meltdown-CPL-REG across 19 CPUs, showing its continued relevance and potential for exploitation with new attack primitives.

Findings

New impact variations across different CPUs.

AMD Zen3+ CPUs are still vulnerable.

Meltdown-CPL-REG can enable cryptographic and KASLR attacks.

Abstract

Since the initial discovery of Meltdown and Spectre in 2017, different variants of these attacks have been discovered. One often overlooked variant is Meltdown 3a, also known as Meltdown-CPL-REG. Even though Meltdown-CPL-REG was initially discovered in 2018, the available information regarding the vulnerability is still sparse. In this paper, we analyze Meltdown-CPL-REG on 19 different CPUs from different vendors using an automated tool. We observe that the impact is more diverse than documented and differs from CPU to CPU. Surprisingly, while the newest Intel CPUs do not seem affected by Meltdown-CPL-REG, the newest available AMD CPUs (Zen3+) are still affected by the vulnerability. Furthermore, given our attack primitive CounterLeak, we show that besides up-to-date patches, Meltdown-CPL-REG can still be exploited as we reenable performance-counter-based attacks on cryptographic algorithms, break KASLR, and mount Spectre attacks. Although Meltdown-CPL-REG is not as powerful as other transient-execution attacks, its attack surface should not be underestimated.