What does it target?

Speculative execution and Intels Privilege Execution features


Who is impacted?

Anyone using Intel and some ARM CPU’s; As this targets Intels proprietary Privilege Escalation feature, AMD is not impacted. Im not sure how ARM CPUs are vulnerable, possible they licensed this from Intel?


Whats the risk?

Violate the boundary between Ring 3 and Ring 0 to read kernel memory from user space.


What does it need to hit you?

Ability to execute code on target machine.


Brief Description;

  1. Flush CPU cache
  2. Read char from address that throws exception(seg fault)
  3. Fault is thrown but speculative execution causes the result is stored in CPU cache due to out of order execution.
  4. Check each possible BYTE and measure time against time of returning fault. If the result is stored in the cache, eg for ‘a’, then when we check ‘a’ return should take 60ms as opposed to 200ms if we check ‘b’.
  5. If fault takes a long time to return it means that letter was not stored in the cache and thus, was not in the memory location. If the fault is returned quickly then that letter matches the cache and we can try another memory location and repeat the process, building out what that string says.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s