L1TF PoC read host's information from VM guest
This is a PoC for L1TF-VMM (aka Foreshadow-VMM, CVE-2018-3646), which can be used to read any information residing in host's L1 cache from guest vm. I used a kernel module to modifiy the specific PTE. Although it is not very advanced compared to only use userspace code, it works and is simpler. I write it just for fun. Now, it only works on x86_64.
My machine configuration:
Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 8 cpus (1 sockets * 4 cores * 2 threads), ubuntu18.04 linux 4.15.0-29-generic, virt-manager 1.5.1
Intel Core Processor (Broadwell, no TSX, IBRS), 8 cpus (8 sockets * 1 cores * 1 threads), ubuntu18.04 linux 4.15.0-29-generic
$gcc -o victim victim.c && sudo ./victim
$cd <path-to-L1TF-g2h> $sudo su #make #time ./foreshadow <victim_phys_addr> <len>
you can also watch my attack video and follow it step by step， see https://www.youtube.com/watch?v=JpBIei7-naA
if you use CTRL+C to interrupt the attack ( you'd better not do that ), you should run the following command to remove the restorePTE.ko module manually (occasionally it may stuck the vm due to "*ptep=bak;" in mod_exit(void), just restart the vm), so that you can start another attack.
if you want victim to running on all cpu cores, add -DALL_CPUS to compile flags (gcc -DALL_CPUS -o victim victim.c).
if you don't want to keep trying on a failed-read byte, remove -DKEEP in CFLAGS in Makefile.
you can simply use the following cmd to eliminate the annoying warnning box:
#rm -f /var/crash/*