- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Rogue In-Flight Data Load (RIDL)
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Rogue In-Flight Data Load (RIDL)
We present Rogue In-flight Data Load (RIDL)1, a new class of unprivileged speculative execu- tion attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Our reverse engi- neering efforts show such vulnerabilities originate from a variety of micro-optimizations pervasive in commod- ity (Intel) processors, which cause the CPU to spec- ulatively serve loads using extraneous CPU-internal in-flight data (e.g., in the line fill buffers). Contrary to other state-of-the-art speculative execution attacks, such as Spectre, Meltdown and Foreshadow, RIDL can leak this arbitrary in-flight data with no assumptions on the state of the caches or translation data structures controlled by privileged software.
The implications are worrisome. First, RIDL attacks can be implemented even from linear execution with no invalid page faults, eliminating the need for excep- tion suppression mechanisms and enabling system-wide attacks from arbitrary unprivileged code (including JavaScript in the browser). To exemplify such attacks, we build a number of practical exploits that leak sensitive information from victim processes, virtual machines, kernel, SGX and CPU-internal components. Second, and perhaps more importantly, RIDL bypasses all existing “spot” mitigations in software (e.g., KPTI, PTE inversion) and hardware (e.g., speculative store bypass disable) and cannot easily be mitigated even by more heavyweight defenses (e.g., L1D flushing or disabling SMT). RIDL questions the sustainability of a per-variant, spot mitigation strategy and suggests more fundamental mitigations are needed to contain ever- emerging speculative execution attacks.
Conclusion
We presented RIDL, a new class of speculative execu- tion vulnerabilities able to leak arbitrary, address-agnostic in-flight data from normal execution (without branches or errors), including sandboxed execution (JavaScript in the browser). We showed RIDL can be used to perform attacks across arbitrary security boundaries and presented real-world process-, kernel-, VM-, and SGX-level exploits. State-of-the-art mitigations against speculative execution attacks (including the in-silicon mitigations in Intel’s re- cent CPUs) are unable to stop RIDL, and new soft- ware mitigations are at best non-trivial. RIDL puts into question the current approach of “spot” mitigations for individual speculative execution attacks. Moving forward, we believe we should favor more fundamental “blanket” mitigations over these per-variant mitigations, not just for RIDL, but for speculative execution attacks in general.