LVI - Hijacking Transient Execution with Load Value Injection
LVI is a new class of transient-execution attacks exploiting microarchitectural flaws in modern processors to inject attacker data into a victim program and steal sensitive data and keys from Intel SGX, a secure vault in Intel processors for your personal data.
LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.
Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory. Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times.
The last square. Unifying the transient-execution attack landscape.
In 2018, Spectre (top right) turned around relatively harmless branch-prediction side-channel leakages (top left) that were known for decades. By injecting speculative wrong branch decisions into other programs, Spectre makes the underlying problem much more relevant and harder to solve. At the same time, a perpendicular and dangerous class of Meltdown-type attacks (bottom left), including Foreshadow, ZombieLoad, RIDL, and Fallout, demonstrated cross-privilege level data extraction from various hidden processor buffers.
LVI (lower right) is the next step: we, for the first time, combine Spectre-style code gadgets in the victim application with Meltdown-type illegal data flow from faulting or assisted memory load instructions to bypass existing defenses and inject attacker-controlled data into a victim's transient execution.
LVI in 4 simple steps
- Poison a hidden processor buffer with attacker values.
- Induce a faulting or assisted load in the victim program.
- The attacker's value is transiently injected into code gadgets following the faulting load in the victim program.
- Side channels may leave secret-dependent traces, before the processor detects the mistake and rolls back all operations.
Who is behind LVI?
LVI was first discovered and reported by Jo Van Bulck (imec-DistriNet, KU Leuven) on April 4, 2019. The following researchers were involved in the academic paper:
- Jo Van Bulck (imec-DistriNet, KU Leuven)
- Daniel Moghimi (Worcester Polytechnic Institute)
- Michael Schwarz (Graz University of Technology)
- Moritz Lipp (Graz University of Technology)
- Marina Minkin (University of Michigan)
- Daniel Genkin (University of Michigan)
- Yuval Yarom (University of Adelaide and Data61)
- Berk Sunar (Worcester Polytechnic Institute)
- Daniel Gruss (Graz University of Technology)
- Frank Piessens (imec-DistriNet, KU Leuven)
Questions & Answers
We believe that LVI is principally relevant as an attack by a malicious compromised operating system or hypervisor targeting Intel SGX enclaves. As such, in our current assessment, you should consider LVI and install updates if you are using a recent processor equipped with Intel SGX technology (see "What is Intel SGX" below).
Intel provides a list with all affected products here. SGX is supported on certain Core-family processors from Skylake onwards. The most recent Icelake Core-family processors appear unaffected by LVI. We found that some other recent, acclaimed Meltdown-resistant recent Core-family processors are only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only). Among Atom processors, only older Silvermont/Airmont (without SGX support) are potentially affected.
LVI bypasses all existing mitigations against transient-execution attacks, such as Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout. We show that LVI is especially relevant in the context of Intel SGX, where LVI may arbitrarily hijack transient execution in a victim enclave and ultimately leak arbitrary secrets, breaking confidentiality guarantees in the Intel SGX ecosystem (see "What is Intel SGX" below).
LVI unifies the transient-execution research landscape by applying gadget-driven techniques from the Spectre world to reversely exploit prior Meltdown-type data leakages. LVI furthermore marks the end of transparently patching Meltdown-type processor vulnerabilities in CPU microcode, as LVI necessitates expensive software updates to serialize the processor pipeline and disable speculation after potentially every load operation.
Intel Software Guard eXtensions (SGX) is an innovative processor technology released in 2015 to create isolated environments in the computer's memory, so-called enclaves. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs, and the data they operate on, even against very advanced types of malware that compromise the operating system, hypervisor, or firmware (BIOS).
In our current assessment, we believe that LVI is mainly only relevant to Intel SGX enclaves. However, in the academic paper we showed that none of the ingredients for LVI are unique to Intel SGX and LVI attacks can in principle apply to non-SGX traditional cross-process, cross-virtual-machine, or user-to-kernel environments. We did not succeed in finding any practical LVI gadgets that can be realistically exploited, however, and only explored such non-SGX attacks in synthetic scenarios where we inserted our own LVI gadgets. Hence, we consider non-SGX LVI attacks of mainly academic interest and we agree with Intel's current assessment to not deploy extra mitigations for non-SGX environments, but we encourage future research to further investigate LVI in non-SGX settings (e.g., cross-process and sandboxed environments).
In our current assessment, LVI principally applies only to Intel processors with SGX technology. However, following the argument of symmetry, in in principle any processor that is vulnerable to Meltdown-type data leakage, would also be vulnerable to LVI-style data injection. Some non-Intel processors have been shown to be affected by some variants of Meltdown and Foreshadow. We maintain an up-to-date overview on the website https://transient.fail/ (select Meltdown + vendor ARM or AMD). If an attacker finds software that uses these features in an exploitable way, LVI might still be possible. We encourage future research to investigate the applicability of LVI to non-Intel CPUs.
LVI is short for Load Value Injection. Simplified, it turns Meltdown-type attacks around to inject data into an application instead of leaking data. Under certain circumstances, an attacker can inject arbitrary data, replacing the value an application loads from memory. The application uses this value for a short period of time until detecting the mistake, and rolling back all operations. However, in this short period, an attacker can arbitrarily hijack the control and data flow.
For a systematic overview of all known attacks to date, we refer to https://transient.fail/.
No, these are vulnerabilities in the processor. While software workarounds exist, the root cause for LVI cannot be eradicated in software. However, new CPUs will contain hardware fixes.
Future CPUs will contain silicon fixes to mitigate LVI directly in hardware. At least for SGX enclaves a short-term solution is needed to mitigate LVI on current, widely deployed systems. In contrast to previous Meltdown-type attacks, processor microcode updates to flush affected buffers are no longer sufficient. Instead, complementary to existing Spectre software mitigations, LVI necessitates compiler patches to insert explicit
lfence speculation barriers which serialize the processor pipeline after potentially every vulnerable load instruction. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86
Intel is releasing an update for the Intel SGX SDK to assist SGX application providers in updating their enclave code. For other guidance, please review Intel’s white paper here. For more information on trusted computing base recovery in the Intel SGX ecosystem, see here.
Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation. However, we expect that real-world performance overheads for Intel SGX will depend on the specific use case. We refer to our technical paper and the graphs below for a more detailed performance evaluation on SPEC and OpenSSL.
In the academic paper, we propose an unambiguous naming scheme to reason about and distinguish LVI variants, following the extended transient-execution attack classification tree at https://transient.fail/. Particularly, in a first level, we distinguish the fault or assist type triggering the transient execution, and at a second level we specify the microarchitectural buffer which is used as the injection source. We show the resulting two-level LVI classification tree below (red leaves are demonstrated attacks, green leaves are already mitigated by existing defenses). Note that, much like in the perpendicular Spectre class of attacks, not all CPUs from all vendors might be susceptible to all of these variants.
We do not have any data on this. The exploitation might not leave any traces in traditional log files.
Yes, there is an academic research paper that can be downloaded here and will be presented at the 41th IEEE Symposium on Security and Privacy (IEEE S&P'20) in May 2020.
CVE-2020-0551 is the official reference to LVI. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
For educational purposes, we released elementary example LVI attack applications as part of the open-source SGX-Step enclave side-channel attack framework available on GitHub. The examples focus only on demonstrating injection of dummy attacker data from various microarchitectural buffers and illustrating LVI-based transient control flow hijacking in a victim enclave.
We would like to thank Intel for working with us during the responsible disclosure.
This research is partially funded by the Research Fund KU Leuven, and by the Agency for Innovation and Entrepreneurship (Flanders). Jo Van Bulck is supported by a grant of the Research Foundation -- Flanders (FWO). Daniel Moghimi was supported by the National Science Foundation under grants no. CNS-1814406. This work was supported in part by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402). This work has been supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia. The Graz University of Technology team would also like to thank Intel, ARM and AMD for providing a generous gift prior to the start of this research project, funding part of this research. It was also supported in part by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577) and by the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-19-C-0531.