TSX Asynchronous Abort

November 12 2019

by Florian Pester, Jacek Galowicz, Julian Stecklina

Today a new variant of the ZombieLoad family of side-channel attacks has been made public. This new variant is called TSX Asynchronous Abort (TAA). TAA works on all recent Intel processors that support Intel TSX, including Intel’s most recent Cascade Lake processors.

In light of yet another side-channel attack, Cyberus Technology announces the start of a public side-channel mitigation test and benchmarking lab. This new lab will enable us to evaluate new side-channel attacks and new mitigations against such attacks in a quick and automated manner. Please refer to the release announcement for in-depth information.

Background

TSX Asynchronous Abort (TAA) is a new variant of the ZombieLoad family of side-channel attacks. TAA was originally discovered together with the other two variants of ZombieLoad. However its publication was delayed until today due to an extended embargo. TAA is also known as CVE-2019-11135.

TAA works on all recent Intel processors with Intel TSX support including the Cascade Lake server processors released in 2019. TAA also works on microarchitectures with hardware mitigations against Meltdown and Foreshadow.

ZombieLoad was discovered earlier this year and demonstrates that faulting load instructions can expose private data across hyperthread and privilege level boundaries.

In this article, we summarize the implications and shed light on the different attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves, and give advice over possible ways to mitigate such attacks.

Implications

A short summary of what this security vulnerability means:

  • Hardware fixes for previous processor vulnerabilities, such as Meltdown or Foreshadow, do not prevent TAA.
  • TAA can leak data on the most recent Cascade Lake CPUs, which are resistant to earlier ZombieLoad variants.
  • The only requirement for the new variant to work is the presence of Intel TSX instructions.
  • By exploiting the CPU’s so-called bypass logic on return values of loads, it is possible to leak data across processes, privilege boundaries, Hyperthreads, as well as values that are loaded inside Intel SGX enclaves, and between VMs.
  • Code utilizing this exploit works on Windows, Linux, etc., as this is not a software- but a hardware issue.
  • Even without Hyperthreading, it is possible to leak data out of other protection domains. During experimentation it turned out, that ZombieLoad leaks endure serializing instructions. Such leaks do however work with lower probability and are harder to obtain.
  • Affected software:
    • So far all versions of all operating systems (Microsoft Windows, Linux, MacOS, BSDs, …)
    • All hypervisors (VMWare, Microsoft HyperV, KVM, Xen, Virtualbox, …)
    • All container solutions (Docker, LXC, OpenVZ, …)
  • Affected CPUs:
    • Intel CPUs with support for Intel TSX (most recent Intel Core and Xeon CPUs).
  • Sole operating system/hypervisor software patches do not suffice for complete mitigation:
    • Similar to the L1TF exploit, effective mitigations require switching off SMT (Simultaneous MultiThreading, aka Hyperthreads) or making sure that trusted and untrusted code do not share physical cores, in addition to any software mitigations that Intel suggests.

Security training and consulting

Cyberus Technology offers an in-depth CPU training course, that specifically includes side-channel attack vectors and how they work. The course can be held in-house at your location and tailored to your specific needs. Please contact Werner Haas (full contact data below) for more information.

We also offer consulting sessions on exploits such as Meltdown, Spectre or ZombieLoad and their derivatives and their impact and possible mitigations. For any questions regarding consulting, training or side-channel attacks in general please contact:

Technical Background

TAA is a variant of ZombieLoad and shares most properties with previously disclosed variants. It allows observing the most recent memory loads a physical core performed. Because the memory subsystem is shared between hyperthreads, this means that one hyperthread can continuously leak data from its sibling.

For an in-depth introduction into the technical background, please refer to the original ZombieLoad article on this blog.

Mitigation Techniques

For the new variant disabling TSX is a useful mitigation. Unfortunately, this requires a microcode update for most processors.

The safest workaround to prevent all variants of ZombieLoad from being successful is running trusted and untrusted applications on different physical machines. The attacks will themselves will remain successful, but they will not have any impact any more.

If this is not feasible in given contexts disabling Hyperthreading completely, together with Intel-recommended sofware workarounds, represents the safest mitigation.

In case disabling HT is not feasible for performance or other reasons, trusted and untrusted processes should never be scheduled on the same physical core.

For more detailed information about mitigation vectors, please consult the ZombieLoad research paper.

The New Attack Variant

ZombieLoad enables four different attack scenarios. There is an in-depth technical description of all of them in our original ZombieLoad article. All attack scenarios have in common that they trigger a faulty read, and extract data used by transiently executed operations via a side-channel. Previous ZombieLoad variants are made difficult by relying on how the operating system manages virtual memory. In contrast, TAA eliminates this requirement. TAA requires no operating system or hypervisor interaction and works wherever TSX is available.

This allows reading data from outside the current process. This data could be either one of the following:

  • data from kernel space or other applications
  • data from outside the VM: other VM or hypervisor
  • data from inside a currently executing SGX enclave

An important detail is that the attacker has no direct control over what data is read. Because of this restriction, the class of attacks that ZombieLoad enables is referred to as data-sampling attacks. The attacker simply samples leaking data that is currently being used by the victim process until the data sample includes interesting data.

TAA works by setting up a TSX hardware transaction to fail by creating a conflict in its read set. This conflict is asynchronously detected and the CPU starts rolling back the transaction. Meanwhile parts of the transaction continue executing, with loads turning into zombie loads that return stale data.

At the time of writing this blog post, no Intel processor has working hardware mitigations for the TAA variant of ZombieLoad.


Share this article: