This technical deep dive expands on the information in the Snoop-assisted L1D Sampling disclosure overview for software developers. Note that this documentation will use more precise (but different) terminology for transient execution side channel methods than we have used in past documents. Be sure to review the updated terminology guide and the list of affected processors.
A domain-bypass transient execution attack1 variant known as snoop2-assisted L1 data sampling has been assigned CVE-2020-0550 with a CVSS of 5.6 Medium (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N). Under a specific set of complex conditions involving a cache-coherence snoop to a modified cache line3, a malicious adversary may be able to infer the data values of some modified cache lines in the L1 data (L1D) cache using snoop-assisted L1 data sampling.
On certain processors and under certain conditions, data in a modified cache line that is being returned in response to a snoop may also be forwarded to a faulting, microarchitectural assist, or Intel® Transactional Synchronization Extensions (Intel® TSX) asynchronous aborting load operation to a different address that occurs simultaneously. This may potentially allow a malicious adversary to construct a covert channel to infer modified data in the L1D cache that the victim intends to protect from the malicious adversary. This domain-bypass transient execution attack is called snoop-assisted L1D sampling.
Note that this is different from L1D Eviction Sampling (CVE-2020-0449). In that issue, the eviction data may be inferrable even without a snoop. Snoop-assisted L1D sampling requires the snoop to hit a modified cache line in the exact same single core clock cycle window as the faulting/assisting/aborting load.
Locally executed malicious software may be able to infer the values of data in a cache line that was modified on the same physical core by:
In all of these scenarios, a local adversary is restricted to seeing only cache lines that were non-speculatively modified by entities with legitimate access to that data.
Note that after the snoop in step 3, regardless of whether or not the faulting load in step 3a successfully receives some snoop response data, the cache line is no longer in the modified state. The line would need to be non-speculatively modified again before another probe could be attempted. Also, accesses which do not complete due to faults (for example, page faults) or EPT violations do not initiate snoops.
Other scenarios may be possible. Examples include:
As the processors affected by snoop-assisted L1D sampling are a subset of those affected by L1 Terminal Fault (L1TF), software may have already applied L1TF mitigations on systems affected by snoop-assisted L1D sampling.
Similar to the L1TF VMM mitigations4, snoop-assisted L1D sampling can be mitigated by flushing the L1D cache between when secrets are accessed and when possibly malicious software runs on the same core. See the L1TF deep dive for more details on this technique.
For snoop-assisted L1D sampling, the only cache lines that are vulnerable are cache lines that are modified while in the L1D, not all cache lines that are accessed in the L1D. Additionally, snoop-assisted L1D sampling does not allow an adversary to directly specify which cache line to infer. Adversaries can only indirectly specify the cache line (for example, by influencing a victim to access the line). It also requires precise timing alignment between multiple operations in a more complex manner than L1TF.
Snoop-assisted L1D sampling could be mitigated by flushing the L1D cache before executing potentially malicious applications, which would require changes to the OS scheduler when hyperthreading is enabled and could impact the performance of system transitions. Because of the difficulty of this method and the performance impact caused by this mitigation, Intel does not recommend applying such mitigations to the OS. More details on the hyperthreading interaction can be found in the MDS deep dive.
When the VMM is fully applying L1TF mitigations, the sensitive memory contents of the VMM or other virtual machines (VMs) will not be in the L1D cache when a possibly malicious VM executes. This will help prevent a malicious VM from attacking a VMM or other VMs with snoop-assisted L1D sampling.
Processors that are mitigated for L1TF for SMM will flush the L1D cache on each exit from SMM mode and thus already mitigate snoop-assisted L1D sampling.