Security Software

Load Value Injection / CVE-2020-0551 / INTEL-SA-00334

2020-03-10
2020-03-10
5.6

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Overview

On some processors, faulting or assisting load operations may transiently receive data from a microarchitectural buffer.

If an adversary can cause a specified victim load to fault, assist, or abort, the adversary may be able to select the data to have forwarded to dependent operations by the faulting/assisting/aborting load. For certain code sequences, those dependent operations may create a covert channel with data of interest to the adversary. The adversary may then be able to infer the data's value through analyzing the covert channel. This transient execution attack is called load value injection (LVI) and is an example of a cross-domain transient execution attack.

Because LVI methods requires several complex steps to be chained together when the victim is executing, it is primarily applicable to synthetic victim code developed by researchers or attacks against SGX by a malicious operating systems (OSes) or virtual machine managers (VMMs).

Unlike domain-bypass attacks like MDS or L1TF, where the attacker has direct control over the instructions executed, LVI is a cross-domain method and thus requires manipulating the victim code's behavior. To utilize LVI, the malicious actor needs to:

  • Find existing gadgets in the victim software that meet all of the attack requirements.
  • Influence the behavior of the victim's environment to cause execution of the gadget inside the victim.
  • Influence the victim's execution so that a specific load inside the gadget takes a fault, assist or abort.
  • Cause the transient execution to last long enough that the gadget puts the attacker-desired data into the covert channel.
  • Look for the signal in the covert channel emitted by the LVI gadget through the background noise created by the system.

Needing to perform all these steps increases the complexity of the attack, beyond the already significant complexities present in other transient execution vulnerabilities

Due to the numerous, complex requirements that must be satisfied to implement the LVI method successfully, LVI is not a practical exploit in real-world environments where the OS and VMM are trusted. Because of the Intel® Software Guard Extensions (Intel® SGX) strong adversary model, attacks on Intel SGX enclaves loosen some of these requirements. Notably, the strong adversary model of Intel SGX assumes that the OS or VMM may be malicious, and therefore the adversary may manipulate the victim enclave's page tables to cause arbitrary enclave loads to fault or assist. Where the OS and VMM are not malicious, LVI attacks are significantly more difficult to perform, even against Intel SGX enclaves. Accordingly, system administrators and application developers should carefully consider the particular threat model applicable to their systems when deciding whether and where to mitigate LVI.

Mitigation

OS/VMM Developers

An unprivileged adversary has few points of leverage to induce faults or assists into code executing at a higher privilege level. OSes and VMMs that have already been mitigated against Spectre and L1TF/MDS will significantly reduce the risk of LVI attacks against the OS or VMM.

For further details, refer to the Deep Dive: Load Value Injection.

Enclave Developers

The threat model for Intel SGX assumes that a malicious OS/hypervisor may arbitrarily manipulate an Intel SGX enclave's page tables. This allows the attacker to cause arbitrary loads to fault or assist during enclave execution.

Because any load may fault or assist, and because it is difficult to determine at compile time whether adversary-desired data may be forwarded by a faulting/assisting load, mitigation techniques may need to consider all possible gadgets, even if many of them might not be exploitable.

The Deep Dive: Load Value Injection describes software mitigation techniques that can be applied to enclaves in order to mitigate LVI attacks against enclaves. Additionally, updates to the Intel SGX SDK will be released that apply these software mitigations. There is no additional microcode update needed to mitigate LVI (either for Intel SGX or in general).

Intel and industry partners provide toolchain support for compiler and assembler tools that yield object files that satisfy the following property:

For all Load+Transmit gadgets in each procedure/function, every path in the control flow graph from Load to Transmit is "cut" by at least one LFENCE instruction.

This property suffices to mitigate all LVI gadgets in Intel SGX enclaves, assuming the mitigation is applied to all code that runs inside the enclave, including any code downloaded into or generated (for example, enclave with a JIT engine) inside the enclave at enclave runtime. For further details on these compiler and assembler tools, refer to the Deep Dive: Load Value Injection.

System Administrators

Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.



Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright Intel Corporation 2020.