Seonglae Cho- Bug: Speculative execution not subject to page permission checks
- Attack: User code can read kernel data.
Kernel is mapped inaccessible at higher addresses. The entire physical memory is directly mapped in the kernel at a certain offset. A physical address which is mapped accessible to the user space is also mapped in the kernel space through the Cache Direct Mapping.
User code can read the entire physical memory on Linux, Android and OSX through Meltdown Attack.
How top reproduce
- The content of an attacker-chosen memory location, which is inaccessible to the attacker, is loaded into a register.
- A transient instruction accesses a cache line based on the secret content of the register.
- The attacker uses FLUSH+RELOAD to determine the accessed cache line and hence the secret stored at the chosen memory location.
Concise implementation without loop
Separate program
Meltdown Mitigation
Separate application and OS page tables (Page Table Isolation)
- Does not map any kernel memory in the user space, except for some parts required by the x86 architecture such as interrupt handlers
- User-level programs can no longer directly use kernel memory addresses, as such addresses cannot be resolved
KAISER(KPTI, PTI) patch which was done under 1 year embargo from intel (kernel has isolated Page Table)
Kernel page-table isolation
Kernel page-table isolation is a Linux kernel feature that mitigates the Meltdown security vulnerability and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR). It works by better isolating user space and kernel space memory. KPTI was merged into Linux kernel version 4.15, and backported to Linux kernels 4.14.11, 4.9.75, and 4.4.110. Windows and macOS released similar updates. KPTI does not address the related Spectre vulnerability.
https://en.wikipedia.org/wiki/Kernel_page-table_isolation
meltdownattack.com
https://meltdownattack.com/meltdown.pdf