Transient Execution Attacks That Leaks Arbitrary Kernel Memory (ETH Zurich)


A technical paper titled “Inception: Exposing New Attack Surfaces with Training in Transient Execution” was published by researchers at ETH Zurich.


“To protect against transient control-flow hijacks, software relies on a secure state of microarchitectural buffers that are involved in branching decisions. To achieve this secure state, hardware and software mitigations restrict or sanitize these microarchitectural buffers when switching the security context, e.g., when a user process enters the kernel. Unfortunately, we show that these mitigations do not prevent an attacker from manipulating the state of these microarchitectural buffers in many cases of interest. In particular, we present Training in Transient Execution (TTE), a new class of transient execution attacks that enables an attacker to train a target microarchitectural buffer after switching to the victim context. To show the impact of TTE, we build an end-to-end exploit called INCEPTION that creates an infinite transient loop in hardware to train the return stack buffer with an attacker-controlled target in all existing AMD Zen microarchitectures. INCEPTION leaks arbitrary kernel memory at a rate of 39 bytes/s on AMD Zen 4 despite all mitigations against transient control-flow hijacks, including the recent Automatic IBRS.”

Find the technical paper here. Published August 2023. Related Github material here and ETH writeup here.  AMD’s security bulletin is here.

Responsible disclosure per paper:
“We communicated with Intel and AMD in February 2023. INCEPTION was under embargo until August 8, 2023 to provide adequate time for development and testing of new mitigations that require microcode patching. INCEPTION is tracked under CVE-2023-20569. Further information about INCEPTION can be found at: https://comsec.ethz.ch/inception.

Trujillo, Daniël, Johannes Wikner, and Kaveh Razavi. “Inception: Exposing New Attack Surfaces with Training in Transient Execution.” In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, 2023.

Related Reading
How Attackers Can Read Data From CPU’s Memory By Analyzing Energy Consumption
A technical paper titled “Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels” was published by researchers at Graz University of Technology and CISPA Helmholtz Center for Information Security.

Leave a Reply

(Note: This name will be displayed publicly)