Hardware attacks / State of the art

Microarchitectural exploitation and other hardware attacks.

Contributing:

Contributions, comments and corrections are welcome, please do PR.

Flaws:

• TPM-FAIL / TPM meets Timing and Lattice Attacks

  • [CVE-2019-11090] For Intel fTPM
  • [CVE-2019-16863] For STMicroelectronics TPM

• [CVE-2015-0565] Rowhammer based:

  • [CVE-2016-6728] DRAMMER
  • [CVE-2018-9442] RAMPage
  • [CVE-2019-0174] RAMBleed
  • [CVE-2019-0162] SPOILER / Speculative Load Hazards Boost Rowhammer and Cache Attacks
  • [CVE-2021-42114] Blacksmith/ Scalable Rowhammering in the Frequency Domain
  • DRAMA/DRAM Addressing
  • Flip Feng Shui (FFS)
  • SGX-Bomb
  • Nethammer
  • JackHammer
  • Half-Double: Next-Row-Over Assisted Rowhammer

• Spectre:

  • [CVE-2017-5753] Spectre-V1 / Spectre v1 / Spectre-PHT / Bounds Check Bypass (BCB)

    • SGXPectre
    • NetSpectre

  • [CVE-2018-3693] Spectre 1.2 / Meltdown-RW / Read-only protection bypass (RPB)

  • [CVE-2017-5715] Spectre-V2 / Spectre v2 / Spectre-BTB / Branch Target Injection (BTI)

    • [CVE-2021-26341] Specter-BTH / Branch History Injection (BTH)

  • [CVE-2018-9056] BranchScope

  • SpectreNG class:

    • [CVE-2018-3640] Spectre v3a / Meltdown-GP / Rogue System Register Read (RSRR)
    • [CVE-2018-3639] Spectre v4 / Spectre-STL / Speculative Store Bypass (SSB)
    • [CVE-2018-3665] LazyFP / Meltdown-NM / Spectre-NG 3 / Lazy FP State Save-Restore
    • [CVE-2018-3693] Spectre 1.1 / Spectre-PHT / Bounds Check Bypass Store (BCBS)
    • [CVE-2019-1125] Spectre SWAPGS

  • Foreshadow class:

    • [CVE-2018-3615] Foreshadow / Spectre v5 / L1TF / Meltdown-P / L1 Terminal Fault in SGX
    • [CVE-2018-3620] Foreshadow-NG / Foreshadow-OS
    • [CVE-2018-3646] Foreshadow-NG / Foreshadow-VMM

  • Spectre RSB (Return Mispredict / Return Stack Buffer (RSB)) based:

    • [CVE-2018-15572] SpectreRSB
    • ret2spec

  • Meltdown (Rogue Data Cache Load (RDCL)):

    • [CVE-2017-5754] Meltdown v3 / Spectre v3 / Spectre-V3 / Meltdown-US:
      • Meltdown-BR / Bounds Check Bypass
      • Meltdown-NM / FPU Register Bypass
      • Meltdown-P / Virtual Translation Bypass
      • Meltdown-PK / Protection Key Bypass

  • Microarchitectural Data Sampling (MDS):

    • [CVE-2018-12126] Fallout / Microarchitectural Store Buffer Data Sampling (MSBDS)
    • Rogue In-Flight Data Load (RIDL):
      • [CVE-2018-12130] ZombieLoad / Microarchitectural Fill Buffer Data Sampling (MFBDS)
      • [CVE-2018-12127] Microarchitectural Load Port Data Sampling (MLPDS)
      • [CVE-2019-11091] Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
      • [CVE-2019-11135] ZombieLoad v2 / TSX Asynchronous Abort (TAA)
      • [CVE-2020-0548] Vector Register Sampling (VRS)
      • [CVE-2020-0549] CacheOut / L1D Eviction Sampling (L1DES)

  • [CVE-2020-0551] Hijacking Transient Execution with Load Value Injection (LVI)

  • [CVE-2020-0543] Crosstalk / Special Register Buffer Data Sampling (SRBDS)

• [CVE-2018-5407] PortSmash

• [CVE-2021-30747] M1RACLES: M1ssing Register Access Controls Leak EL0 State (covert channel vulnerability in the Apple Silicon "M1" chip)

• ARMageddon

• Nemesis

• [Lord of the Ring(s)] Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

Proof of concepts:

• TPM-Fail: https://github.com/VernamLab/TPM-Fail
• Rowhammer (Google): https://github.com/google/rowhammer-test
• Rowhammer (IAIK): https://github.com/IAIK/rowhammerjs
• DRAMMER: https://github.com/vusec/drammer
• SGX-Bomb: https://github.com/sslab-gatech/sgx-bomb
• SWAPGS: https://github.com/bitdefender/swapgs-attack-poc

Other PoCs:

• [spook.js] Attacking Google Chrome's Strict Site Isolation via Speculative Execution and Type Confusion

Resources:

• Linux Kernel Defence Map
• Linux Kernel Hardware Vulnerabilities
• Transient Execution Attacks
• A Spectre demo written in Javascript for Chrome 88
• RAM Anatomy Poster
• speculation-bugs: Docs and resources on CPU Speculative Execution bugs
• Interactive guide to speculative execution attacks:

Tools:

• sandsifter: The x86 processor fuzzer.
• OpcodeTester: Analyse Undocumented Instructions on Intel x86/x86-64 and RISC-V.
• evsets: Tool for testing and finding minimal eviction sets.
• cachequery: A tool for interacting with hardware memory caches in modern Intel CPUs.
• haruspex: Exploration of x86-64 ISA using speculative execution.
• Blacksmith: Next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns.

Blogs and posts:

• CPU Introspection: Intel Load Port Snooping
• Sushi Roll: A CPU research kernel with minimal noise for cycle-by-cycle micro-architectural introspection
• Pulling Bits From ROM Silicon Die Images: Unknown Architecture
• Beating the L1 cache with value speculation
• COMSEC (ETH Zürich) Blog

Other papers:

• Reverse Engineering of Intel Microcode Update Structure
• Security Analysis of AMD predictive store forwarding (AMD Zen 3)
• Flushgeist: Cache Leaks from Beyond the Flush
• Theory and Practice of Finding Eviction Sets
• CacheQuery: Learning Replacement Policies from Hardware Caches
• Hardware-Software Contracts for Secure Speculation
• Speculative Probing: Hacking Blind in the Spectre Era

Others:

$ cat /sys/devices/system/cpu/vulnerabilities/*