Load Value Injection / CVE-2020-0551 / INTEL-SA-00334

Published: 01/27/2020

Disclosure date: 
2020-03-10

Published date: 
2020-03-10

 Severity rating: 
5.6 Medium

 

Industry-wide severity ratings can be found in the National Vulnerability Database


Related Content

Load Value Injection
Processors affected: Load Value Injection
INTEL-SA-00334
An Optimized Mitigation Approach for Load Value Injection
Refined Speculative Execution Terminology

Overview

On some processors, faulting or assisting load operations may transiently receive data from a microarchitectural buffer.

If an adversary can cause a specified victim load to fault, assist, or abort, the adversary may be able to select the data to have forwarded to dependent operations by the faulting/assisting/aborting load. For certain code sequences, those dependent operations may create a covert channel with data of interest to the adversary. The adversary may then be able to infer the data's value through analyzing the covert channel. This transient execution attack is called load value injection (LVI) and is an example of a cross-domain transient execution attack.

Because LVI methods requires several complex steps to be chained together when the victim is executing, it is primarily applicable to synthetic victim code developed by researchers or attacks against SGX by a malicious operating systems (OSes) or virtual machine managers (VMMs).

Unlike domain-bypass attacks like MDS or L1TF, where the attacker has direct control over the instructions executed, LVI is a cross-domain method and thus requires manipulating the victim code's behavior. To utilize LVI, the malicious actor needs to:

  • Find existing gadgets in the victim software that meet all of the attack requirements.
  • Influence the behavior of the victim's environment to cause execution of the gadget inside the victim.
  • Influence the victim's execution so that a specific load inside the gadget takes a fault, assist or abort.
  • Cause the transient execution to last long enough that the gadget puts the attacker-desired data into the covert channel.
  • Look for the signal in the covert channel emitted by the LVI gadget through the background noise created by the system.

Needing to perform all these steps increases the complexity of the attack, beyond the already significant complexities present in other transient execution vulnerabilities

Due to the numerous, complex requirements that must be satisfied to implement the LVI method successfully, LVI is not a practical exploit in real-world environments where the OS and VMM are trusted. Because of the Intel® Software Guard Extensions (Intel® SGX) strong adversary model, attacks on Intel SGX enclaves loosen some of these requirements. Notably, the strong adversary model of Intel SGX assumes that the OS or VMM may be malicious, and therefore the adversary may manipulate the victim enclave's page tables to cause arbitrary enclave loads to fault or assist. Where the OS and VMM are not malicious, LVI attacks are significantly more difficult to perform, even against Intel SGX enclaves. Accordingly, system administrators and application developers should carefully consider the particular threat model applicable to their systems when deciding whether and where to mitigate LVI.

Mitigation

OS/VMM Developers

An unprivileged adversary has few points of leverage to induce faults or assists into code executing at a higher privilege level. OSes and VMMs that have already been mitigated against Spectre and L1TF/MDS will significantly reduce the risk of LVI attacks against the OS or VMM.

For further details, refer to Load Value Injection.

Enclave Developers

The threat model for Intel SGX assumes that a malicious OS/hypervisor may arbitrarily manipulate an Intel SGX enclave's page tables. This allows the attacker to cause arbitrary loads to fault or assist during enclave execution.

Because any load may fault or assist, and because it is difficult to determine at compile time whether adversary-desired data may be forwarded by a faulting/assisting load, mitigation techniques may need to consider all possible gadgets, even if many of them might not be exploitable.

Load Value Injection describes software mitigation techniques that can be applied to enclaves in order to mitigate LVI attacks against enclaves. Additionally, updates to the Intel SGX SDK will be released that apply these software mitigations. There is no additional microcode update needed to mitigate LVI (either for Intel SGX or in general).

Intel and industry partners provide toolchain support for compiler and assembler tools that yield object files that satisfy the following property:

For all Load+Transmit gadgets in each procedure/function, every path in the control flow graph from Load to Transmit is "cut" by at least one LFENCE instruction.

This property suffices to mitigate all LVI gadgets in Intel SGX enclaves, assuming the mitigation is applied to all code that runs inside the enclave, including any code downloaded into or generated (for example, enclave with a JIT engine) inside the enclave at enclave runtime. For further details on these compiler and assembler tools, refer to Load Value Injection.

System Administrators

Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources

 

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.