RIDL, FALLOUT and ZombieLoad
Updated: Jan 25
So three(3) new hardware based vulnerabilities were released and whilst we all remember Spectre or Meltdown from last year these ones, these new vulnerabilities show that hardware based attacks are not going to go away any time soon, not only that but the legacy of these attacks will linger on for many more years!
Let's start with a few basics, these vulnerabilities are all hardware based (Intel based chip sets including Xeon) and so effect almost everything from Laptops, Desktops, Servers and is OS independant so Linux, Windows etc are all effected. Currently ARM based processors are not affected.
The vulnerabilities were discovered by multiple teams around the world who have been coordinating the release of whitepapers (I shall link them at the bottom of the post).
RIDL and Fallout are similar in nature to the Spectre vulnerability from 2018, that is they take advantage of how a processor manages tasks by speculating what calculation the os will need next and disguarding the one that was wrong. Think about when you used to play Choose-Your-Own-Adventure books and you would cheat by looking at the outcome of your choices then picking the page that looked best and forgetting the others. That is how Intel processors can be one step ahead, the downside is attacks like Spectre and now RIDL and Fallout can be successful.
First lets deal with RIDL and Fallout, these are similar and we can bunch them together before we get onto ZombieLoad.
I am not going to get into the real technicalities of these here, honestly the whitepapers are way better and more in-depth than I could ever be here, but I shall try to give a quick overview so that you can go away pretending you understand what is going on when it comes up later in a meeting. Both of these attacks take advantage of the recent MDS (Microarchitectural Data Sampling) side-channel vulnerabilities.
RIDL (Rogue In-Flight Data Load):
CPUs have various security domains such as line-fill buffers, load ports and multiple buffers, RIDL allows malicious code to leak information across those security domains. You can then use this attack to read information from other applications, over trusted execution environment and most worryingly you can read information from other virtual machines. It will be interesting to see how cloud providers such as AWS, Azure etc deal with this type of attack.
Whilst very similar to RIDL, the Fallout vulnerability allows the malicious code to read data from the Store Buffers which is what is used by the CPU to store data, this exploit basically allows the attacker to read recently stored data. As this attack breaks the Kernel Address Space Layout it is a great stepping stone to other attacks so should not be downplayed as to how critical this is going to be.
The recent updates by Intel to prevent Meltdown vulnerabilty has unfortunately made them more vulnerable to this attack.
MDS have also provided some tools to check if you are vulnerable to these attacks (you probably are tbh). https://github.com/vusec/ridl as well as a super cool interactive demo.
Watch a POC (proof of concept) of RIDL leaking root passwords hashes:
If you want to read more about how both of these attacks work I highly recommend you take half hour over your lunch and read these two excellent whitepapers released by the teams who found them.
This one works in a different way to the others, it uses a subset of side channel attacks they have dubbed data-sampling attack. The team that found it discovered that by faulting load instructions they can expose private values of one hyperthread sibling into another. What this means is that this vulnerability allows the attacker to read any private browsing history as well as other data. Not only can it leak data from the OS, applications, but like the other attacks it can read data across the trusted execution environments and that means other virtual machines, again it will be interesting to see how the cloud providers deal with these vulnerabilities.
The team have also created a POC (proof of concept) to show the attack, you can get it from their github. https://github.com/IAIK/ZombieLoad
The downside is this is yet another in the trend of vulnerabilities having logos and websites and no doubt a theme tune coming. I would avoid all of that and go straight to the whitepaper on the vulnerability here.