Hardware attacks / State of the art

Microarchitectural exploitation and other hardware attacks.

Contributing:

Contributions, comments and corrections are welcome, please do PR.

Flaws:

• [ÆPIC Leak] Architecturally Leaking Uninitialized Data from the Microarchitecture

  • [CVE-2022-21233] Stale Data Read from Legacy xAPIC

• TPM-FAIL / TPM meets Timing and Lattice Attacks

  • [CVE-2019-11090] For Intel fTPM
  • [CVE-2019-16863] For STMicroelectronics TPM

• [CVE-2015-0565] Rowhammer based:

  • [CVE-2016-6728] DRAMMER
  • [CVE-2018-9442] RAMPage
  • [CVE-2019-0174] RAMBleed
  • [CVE-2019-0162] SPOILER / Speculative Load Hazards Boost Rowhammer and Cache Attacks
  • [CVE-2021-42114] Blacksmith/ Scalable Rowhammering in the Frequency Domain
  • DRAMA/DRAM Addressing
  • Flip Feng Shui (FFS)
  • SGX-Bomb
  • Nethammer
  • JackHammer
  • Half-Double: Next-Row-Over Assisted Rowhammer

• Spectre:

  • [CVE-2017-5753] Spectre-V1 / Spectre v1 / Spectre-PHT / Bounds Check Bypass (BCB)

    • SGXPectre
    • NetSpectre

  • [CVE-2018-3693] Spectre 1.2 / Meltdown-RW / Read-only protection bypass (RPB)

  • [CVE-2017-5715] Spectre-V2 / Spectre v2 / Spectre-BTB / Branch Target Injection (BTI)

    • [CVE-2021-26341] Specter-BTH / Branch History Injection (BTH)
    • [CVE-2022-29900 / CVE-2022-29901] RETBleed (Arbitrary Speculative Code Execution with Return Instructions)

  • [CVE-2018-9056] BranchScope

  • SpectreNG class:

    • [CVE-2018-3640] Spectre v3a / Meltdown-GP / Rogue System Register Read (RSRR)
    • [CVE-2018-3639] Spectre v4 / Spectre-STL / Speculative Store Bypass (SSB)
    • [CVE-2018-3665] LazyFP / Meltdown-NM / Spectre-NG 3 / Lazy FP State Save-Restore
    • [CVE-2018-3693] Spectre 1.1 / Spectre-PHT / Bounds Check Bypass Store (BCBS)
    • [CVE-2019-1125] Spectre SWAPGS

  • Foreshadow class:

    • [CVE-2018-3615] Foreshadow / Spectre v5 / L1TF / Meltdown-P / L1 Terminal Fault in SGX
    • [CVE-2018-3620] Foreshadow-NG / Foreshadow-OS
    • [CVE-2018-3646] Foreshadow-NG / Foreshadow-VMM

  • Spectre RSB (Return Mispredict / Return Stack Buffer (RSB)) based:

    • [CVE-2018-15572] SpectreRSB
    • ret2spec

  • Meltdown (Rogue Data Cache Load (RDCL)):

    • [CVE-2017-5754] Meltdown v3 / Spectre v3 / Spectre-V3 / Meltdown-US:
      • Meltdown-BR / Bounds Check Bypass
      • Meltdown-NM / FPU Register Bypass
      • Meltdown-P / Virtual Translation Bypass
      • Meltdown-PK / Protection Key Bypass

  • Microarchitectural Data Sampling (MDS):

    • [CVE-2018-12126] Fallout / Microarchitectural Store Buffer Data Sampling (MSBDS)
    • Rogue In-Flight Data Load (RIDL):
      • [CVE-2018-12130] ZombieLoad / Microarchitectural Fill Buffer Data Sampling (MFBDS)
      • [CVE-2018-12127] Microarchitectural Load Port Data Sampling (MLPDS)
      • [CVE-2019-11091] Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
      • [CVE-2019-11135] ZombieLoad v2 / TSX Asynchronous Abort (TAA)
      • [CVE-2020-0548] Vector Register Sampling (VRS)
      • [CVE-2020-0549] CacheOut / L1D Eviction Sampling (L1DES)

  • [CVE-2020-0551] Hijacking Transient Execution with Load Value Injection (LVI)

    • [CVE-2022-40982] Downfall: Exploiting Speculative Data Gathering

  • [CVE-2020-0543] Crosstalk / Special Register Buffer Data Sampling (SRBDS)

  • Processor MMIO Stale Data based:

    • [CVE-2022-21166] Device Register Partial Write (DRPW)
    • [CVE-2022-21127] Update to Special Register Buffer Data Sampling (SRBDS Update)
    • [CVE-2022-21123] Shared Buffers Data Read (SBDR)
    • [CVE-2022-21125] Shared Buffers Data Sampling (SBDS)

  • Speculative Race Conditions (SRC):

    • [CVE-2024-2193] GhostRace: Exploiting and Mitigating Speculative Race Conditions
    • Speculative Synchronization:
      • [CVE-2024-26602] Inter-Process Interrupt (IPI) Storming

• [CVE-2018-5407] PortSmash

• [CVE-2021-30747] M1RACLES: M1ssing Register Access Controls Leak EL0 State (covert channel vulnerability in the Apple Silicon "M1" chip)

• [PACMAN] Attacking ARM pointer authentication with speculative execution

• ARMageddon

• Nemesis

• [Lord of the Ring(s)] Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

• [Augury] Using Data Memory-Dependent Prefetchers (DMP) to Leak Data at Rest

• [CVE-2020-8694 / CVE-2020-8695] PLATYPUS: Software-based Power Side-Channel Attacks on x86

• [Hertzbleed] Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

• [CVE-2023-20593] Zenbleed: A use-after-free in AMD Zen2 processors

• [CVE-2023-20583] Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels

• [CVE-2023-23583] Reptar: A Intel redundant prefix vulnerability

• [GoFetch] Breaking Constant-Time Cryptographic Implementations Using Data Memory-Dependent Prefetchers

Proof of concepts:

• TPM-Fail: https://github.com/VernamLab/TPM-Fail
• Rowhammer (Google): https://github.com/google/rowhammer-test
• Rowhammer (IAIK): https://github.com/IAIK/rowhammerjs
• DRAMMER: https://github.com/vusec/drammer
• SGX-Bomb: https://github.com/sslab-gatech/sgx-bomb
• SWAPGS: https://github.com/bitdefender/swapgs-attack-poc
• Berkeley Out-of-Order Machine (BOOM) RV64GC RISC-V core Spectre attacks: https://github.com/riscv-boom/boom-attacks
• RETBleed: https://github.com/comsec-group/retbleed

Other PoCs:

• [spook.js] Attacking Google Chrome's Strict Site Isolation via Speculative Execution and Type Confusion

Resources:

• Linux Kernel Defence Map
• Linux Kernel Hardware Vulnerabilities
• Transient Execution Attacks
• SGX Fail: How Stuff Gets eXposed
• A Spectre demo written in Javascript for Chrome 88
• RAM Anatomy Poster
• speculation-bugs: Docs and resources on CPU Speculative Execution bugs
• Interactive guide to speculative execution attacks:

Tools:

• sandsifter: The x86 processor fuzzer.
• OpcodeTester: Analyse Undocumented Instructions on Intel x86/x86-64 and RISC-V.
• evsets: Tool for testing and finding minimal eviction sets.
• cachequery: A tool for interacting with hardware memory caches in modern Intel CPUs.
• haruspex: Exploration of x86-64 ISA using speculative execution.
• Blacksmith: Next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns.
• Speculator: Tool to Analyze Speculative Execution Attacks and Mitigations.
• MicrocodeDecryptor: Understand how Intel mitigated spectre vulnerability, explore the implementation of Intel TXT, SGX,VT-x technologies.
• SiliFuzz: Fuzzing CPUs by proxy.
• Cascade: CPU Fuzzing via Intricate Program Generation.

Slides:

• A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data
• Custom Processing Unit: Tracing and Patching Intel Atom Microcode.
• ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture.

Blogs and posts:

• CPU Introspection: Intel Load Port Snooping
• Sushi Roll: A CPU research kernel with minimal noise for cycle-by-cycle micro-architectural introspection
• Pulling Bits From ROM Silicon Die Images: Unknown Architecture
• Beating the L1 cache with value speculation
• COMSEC (ETH Zürich) Blog
• No More Speculation: Exploiting CPU Side-Channels for Real

Other papers:

• Reverse Engineering of Intel Microcode Update Structure
• Security Analysis of AMD predictive store forwarding (AMD Zen 3)
• Flushgeist: Cache Leaks from Beyond the Flush
• Theory and Practice of Finding Eviction Sets
• CacheQuery: Learning Replacement Policies from Hardware Caches
• Hardware-Software Contracts for Secure Speculation
• Speculative Probing: Hacking Blind in the Spectre Era
• Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions

Others:

$ cat /sys/devices/system/cpu/vulnerabilities/*