# **Fallout: Reading Kernel Writes From User Space**

Marina Minkin<sup>1</sup>, Daniel Moghimi<sup>2</sup>, Moritz Lipp<sup>3</sup>, Michael Schwarz<sup>3</sup>, Jo Van Bulck<sup>4</sup>, Daniel Genkin<sup>1</sup>, Daniel Gruss<sup>3</sup>, Frank Piessens<sup>4</sup>, Berk Sunar<sup>2</sup>, and Yuval Yarom<sup>5</sup>

<sup>1</sup>University of Michigan
<sup>2</sup>Worcester Polytechnic Institute
<sup>3</sup>Graz University of Technology
<sup>4</sup>imec-DistriNet, KU Leuven
<sup>5</sup>The University of Adelaide and Data61

#### **Abstract**

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors.

In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present *Fallout*, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the *store buffer*. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution.

Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.

## 1 Introduction

The architecture and security communities will remember 2018 as the year of Spectre [32] and Meltdown [37]. Speculative and out-of-order execution, which have been considered for decades to be harmless and valuable performance features, were discovered to have dangerous industry-wide security implications, affecting operating systems (OSs) [32,37], browsers [1,32], virtual machines [57], trusted execution environments (e.g., SGX) [55], AES hardware accelerators [53] and more.

Meltdown, in particular, is a severe hardware issue. In a Meltdown attack, an unprivileged attacker performs an ex-

plicit access violation to a privileged memory location containing the OS's kernel. The CPU responds with the value from that address, while marking the load operation as faulty. Perhaps most shockingly, the CPU then allows subsequent transient computation on the returned value. Finally, by the time that the CPU recognizes the violation and attempts to undo the damage caused by transient execution, the attacker already had sufficient cycles to leak the kernel data using a microarchitectural covert channel, such as via the processor's cache [10,42].

Recognizing the danger posed by this hardware issue, the computer industry mobilized. Potentially incurring significant performance losses [14], all major OS deployed countermeasures based on the KAISER patch [16] which removes the mapping of kernel pages from the address space of user processes. At a high level, Kernel Page Table Isolation (KPTI) relies on the idea that even if the attacker can access the entire currently mapped address space, the attacker lacks the capabilities of accessing memory outside of the current address space, thus leaving the kernel safely out of reach.

Unfortunately, with Foreshadow [55] and Foreshadow-NG [57] it became clear that an attacker can transiently access even pages that are not mapped into the address space. The attacker then subsequently exploits a Meltdown-like technique to leak privileged data, including enclave secrets safeguarded by Intel's Software Guard eXtensions (SGX) [55] or across virtual machines running on the same physical host [57].

In an attempt to claw back some of the performance loss, and to permanently eliminate Foreshadow and Meltdown related issues, Intel announced already back in 2018 strong, silicon-based Meltdown defenses in future processors enumerating Rogue Data Cache Load resilience (RDCL\_NO) [26]. With the recent release of the 9th generation Coffee Lake R microarchitecture, such Meltdown-resistant processors are finally available on the mass consumer market. The RDCL\_NO security feature promises to obviate the need for KPTI and other defenses, while improving overall performance [8]. However, while Intel claims that these fixes address Meltdown and Foreshadow, it remains unclear whether new generations

of Intel processors are properly protected against Meltdowntype transient execution attacks. Thus, in this work we set out to investigate the following question:

Is kernel data safe in the new generation of processors? Can ad-hoc software mitigations be safely disabled on post-Meltdown Intel hardware?

#### 1.1 Our Contribution

Unfortunately, in this paper, we answer these questions in the negative. We present *Fallout*, a new attack on the hardware-based memory isolation mechanisms in Intel CPUs. Using Fallout, user-space programs can read data that has recently been written by the kernel, as well as derandomize Kernel Address Space Layout Randomization (KASLR). Similarly to previous transient execution attacks, Fallout does not require any privileges except for the ability to run code, and does not exploit any kernel vulnerabilities.

The Mechanism Behind Fallout. Fallout exploits an optimization that we call *Write Transient Forwarding* (WTF), which incorrectly passes values from memory writes to subsequent memory reads. In a nutshell, when the program writes a value to memory, the processor needs to first translate the virtual address of the destination to a physical address and then acquire exclusive access to the location. Rather than stalling the store instruction and subsequent computation, the processor records the value and the address in the *store buffer*, and continues executing the program. The store buffer then resolves the address, acquires the access to the memory location and stores the data.

When a value is in the store buffer, care should be taken that subsequent loads from the same address do not read stale values from memory. To solve this, the processor matches the addresses of all load instructions against addresses in the store buffer. In the case of a match, the processor *forwards* the matching value from the store buffer to the load instruction. To increase efficiency, the processor uses partial address matches to rule out the need for store-to-load forwarding. WTF kicks in when a load instruction partially matches a preceding store and the processor determines that the load is bound to fail. In such cases, instead of cleaning up the state of the processor, it marks the load as faulty, and *incorrectly* forwards the value of the partially matched store.

**Exploiting the WTF optimization.** Fallout exploits this behavior to leak, through a microarchitectural channel, the value that WTF incorrectly forwards. The attacker deliberately performs a faulty load, causing the CPU to transiently forward an incorrect value from the store buffer. We subsequently leak the value using a Flush+Reload [58] side channel. As the store buffer is a shared resource used by all software running on a CPU core, the incorrectly-forwarded value might not even belong to the attacker's process. Empirically demonstrating this, in this paper, we show how to exploit the WTF optimization

to leak values recently written by the kernel from user space as well as how to derandomize the kernel's ASLR.

Fallout vs. Meltdown Like all Meltdown-type attacks, Fallout exploits transient execution past an exception. However, unlike previous Meltdown-type attacks, in Fallout the adversary does not read from the address of the protected value. Instead, the value leaks while the adversary loads from an unrelated memory address. As a result, the hardware countermeasures for Meltdown and Foreshadow in recent Intel processors do not protect against Fallout. Finally, we note a worrying regression in recent Intel processors, where, possibly due to the added hardware countermeasures, newer processors seem more vulnerable to Fallout than previous generations.

Security Analysis of Speculation Mechanisms and Coffee Lake Refresh. We present the first analysis of various exception-creation and exception-suppression mechanisms used to mount Fallout across various Intel architectures. As we show, not all creation and suppression mechanisms are interchangeable, and the exact combination is, in fact, architecture dependent. Finally, we show that the hardware change in exception creation and suppression introduced by Intel in the latest Coffee Lake Refresh architecture make them more vulnerable to our attack.

**Exploiting Microcode Assists.** As a final contribution, we identify a hitherto unexplored cause of transient execution. We show that invoking *microcode assists* to handle corner cases in the execution of some instructions, results in transient execution of the instructions. While assists-based transient execution shares some properties of Meltdown-type transient execution, assists do not cause exceptions and therefore do not require any fault-suppression mechanisms.

## 1.2 Disclosure and Timeline

Following the practice of responsible disclosure, we have notified CPU vendors about our findings.

**Intel.** We notified Intel about our findings, including a preliminary writeup and proof-of-concept code, on January 31st, 2019. Intel had acknowledged the issue and requested an embargo on the results in this paper, ending May 14th, 2019. Intel has further classified this issue as Microarchitectural Store Buffer Data Sampling (MSBDS), assigning it CVE-2018-12126 and a CVSS ranking of Medium. Finally, Intel had indicated that we are the first academic group to report this issue and that a similar issue was found internally as well.

**AMD.** We also notified AMD's security response team regarding our findings, including our writeup. AMD had investigated this issue of their architectures and indicated that AMD CPUs are not vulnerable to the attacks described in this paper.

**ARM.** We have also notified ARM's security response team regarding our findings. ARM had investigated this issue

and found that ARM CPUs are not vulnerable to the attacks described in this paper.

**IBM.** Finally, we also notified IBM security about the finding reported in this work. IBM had responded that none of their CPUs is affected, including System-V and PowerPC.

The RIDL Attack. In a concurrent independent work<sup>1</sup>, the RIDL attack [56] analyzes additional buffers present inside Intel CPUs, with specific attention to the Line Fill Buffer (LFB) and load ports. There, they show that faulty loads from the LFB or load ports leak information across various security domains. We note however that Fallout is different from (and complementary to) RIDL. This is since the two attacks exploit different microarchitectural elements (LFB and load ports for RIDL and Store Buffer and WTF optimization for Fallout). In particular, RIDL can be used to recover values recently placed in the LFB while Fallout allows the attacker to recover the value of a specific attacker-chosen writes in the store buffer.

#### 2 Background

In this section, we provide the background required to understand our attack, including a description of caches and cache attacks, transient execution attacks, and Intel Transactional Synchronization Extensions.

## 2.1 Caches and Cache Attacks

Caches are an essential part of modern processors. They are small and fast memories where the CPU stores copies of data from the main memory to hide the main memory access latency. Modern CPUs have a variety of different caches and buffers for various purposes. The main cache hierarchy is the instruction and data cache hierarchy consisting of multiple levels, which vary in size and latency. The L1 is the smallest and fastest cache. The L3 cache, also called the last-level cache (LLC), is typically the largest and slowest.

Cache Organization. Modern caches are typically set-associative, i.e., a cache line is stored in a fixed set, as determined by part of its virtual or physical address. Addresses that map to the same set are called *congruent*. On modern processors, the last-level cache is typically physically indexed and shared across cores. It is also often inclusive of L1 and L2, which means that all data stored in L1 and L2 is also stored in the last-level cache. The cache hierarchy exposes the latency difference between the main memory access (cache miss) and the cache access (cache hit), i.e., exactly the latency difference that caches introduce. This can be used in side channels on a non-colluding victim or in covert channels where sender and receiver collude to transmit information.

**Cache Attacks.** Different cache attack techniques have been proposed in the past, such as Prime+Probe [45, 47] and Flush+Reload [58]. Flush+Reload attacks and its variants [17, 19,36,60] work on shared memory at a cache-line granularity. The attacker repeatedly flushes a cache line and measures how long it takes to reload it. The reload time will always be high unless another process has reloaded the cache line back into the cache. In contrast, Prime+Probe attacks work without shared memory, and only at a cache-set granularity. The attacker repeatedly accesses a set of congruent memory addresses, filling an entire cache set with its own cache lines, and measures how long that takes. As this is repeated in a loop, the cache set is always filled with the attacker's cache lines. Hence the access time will always be rather low. However, if another process accesses a memory location in the same cache set, it will evict one of the attacker's cache lines and the access time will increase.

Cache attacks have been used to break cryptographic implementations [11, 12, 38, 45, 47, 58, 59], infer user input [19,36,48], and break system-level security [18,24]. Both Prime+Probe and Flush+Reload have also been used in high-performance covert channels [17,38,42], also as a building block of transient execution attacks such as Meltdown [37], Spectre [32], and Foreshadow [55,57] that we detail below.

# 2.2 Superscalar Processors

To achieve their high performance, modern processors are often *superscalar*, that is, they perform multiple operations in parallel. In current implementations, e.g., in modern Intel processors (refer Fig. 1), execution of a program is divided between two main parts. The *frontend* is responsible for processing the machine-code instructions of the program, decoding them to a stream of *micro-ops* ( $\mu$ OPs) that are sent to the *Execution Engine* for execution.

**Out-of-order Execution.** The execution engine consists of multiple execution units, which can execute various  $\mu$ OPs. To allow superscalar execution, the execution engine follows a variant of Tomasulo's algorithm [54], which executes  $\mu$ OPs when the data they depend on is available, rather than following strict program order. Once executed, the  $\mu$ OPs arrive at the *reorder buffer* whose purpose is to *retire*  $\mu$ OPs in program order, ensuring that architecturally-visible effects of  $\mu$ OPs execute in the order the programmer specified.

**Speculative Execution.** The stream of  $\mu$ OPs that the frontend generates does not necessarily correspond to the sequence of instructions in the program. A major cause of deviation is *branch prediction*. When the frontend reaches a branch instruction, it often does not yet know where execution will proceed. Instead of waiting, the frontend attempts to predict the outcome of the branch and proceed from there. In the case that the prediction is correct, the generated  $\mu$ OPs match the program and can be processed. Otherwise, at some later stage, the processor notices the *misprediction*. The frontend

<sup>&</sup>lt;sup>1</sup>Both teams made contact on May 7th, provided each other with an overview of their findings, and coordinated public disclosure as well as communication with Intel. For a complete timeline describing the flow of information related to this disclosure, see mdsattacks.com.



Figure 1: Simplified illustration of a single core of the Intel's Skylake microarchitecture (as presented in [37]). Instructions are decoded into  $\mu$ OPs and executed out-of-order in the execution engine by individual execution units.

is then *steered* to the correct instruction, and  $\mu$ OPs generated as part of the misprediction are dropped by the reorder buffer without committing any of their results to the architectural state of the processor. Following [6], we refer to  $\mu$ OPs that are not retired as *transient*. Similarly, following [13], we use refer to  $\mu$ OPs other than the one waiting for retirement as *speculative*. We note that speculative  $\mu$ OPs do not necessarily result from speculative execution. The are called speculative because the execution engine cannot determine whether they are transient or not.

# 2.3 The Memory Subsystem

In this work, we are mainly interested in how memory load and store operations are implemented. The main two issues we deal with are how to resolve the physical addresses used by these instructions and how to ensure that out-of-order execution does not break dependencies between these instructions.

#### 2.4 Transient Execution Attacks

While transient execution does not influence the architectural state of the processor, it can change the microarchitectural state. Transient execution attacks abuse transient execution to execute a few instructions transiently and modify the microarchitectural state. The change in the microarchitectural state is then observed using a covert-channel attack. Spectretype [32] attacks exploit different prediction mechanisms, while Meltdown-type [37,55] attacks exploit transient execution following a CPU exception.

**Spectre Attacks.** The first Spectre attacks focused on the CPU's Pattern History Table (PHT), Branch History Buffer (BHB), and Branch Target Buffer (BTB) as microarchitectural data structures causing mispredictions [32]. Both transient loads and stores [31] are possible, leading to a variety of attacks, including reading and writing from out-of-bound memory locations, transferring control-flow to arbitrary addresses via mispredicted indirect jumps [32] or returns [33,40]. In all Spectre attacks, the attacker mistrains the processor by performing a certain type of branches, influencing the corresponding microarchitectural predictor. Subsequently, the victim runs with incorrect predictions and thereby leaks data. While Spectre attacks can only leak architecturally accessible data, the mistraining works across privilege boundaries, e.g., the kernel-to-user boundary, or SGX. Another type of Spectre attacks is based on unsuccessful load-to-store forwarding [23]. Spectre attacks can even be mounted in remote scenarios, i.e., from JavaScript [32] or just by sending requests to a vulnerable system [49].

Meltdown Attacks. Meltdown-type attacks do not exploit misprediction. Instead, they exploit deferred handling of permission checks. Before the permission check is performed and the attacker process triggers a processor exception architecturally, the data is already handed to the subsequent instructions that are also transiently executed. The first Meltdown attack [37] exploits the deferred permission check for the user/supervisor bit in the page tables, allowing to leak arbitrary memory mapped in the kernel address space. Other Meltdown attacks similarly exploit the deferred check of present or reserved bits in page table entries [55,57], the writable bit in the page table entry [31], or the permission check when reading system registers [4,25].

Countermeasures. Recognizing the danger posed by transient execution attacks, a wide range of defenses have been proposed to defend against them. However, to date, it is unclear which defenses actually increase the security level and which are trivially bypassable [6,43]. One defense where the consensus across academia and industry is that it protects against Meltdown, if correctly implemented, is KAISER [16]. KAISER is the idea of duplicating the page table hierarchies for every process, once with the kernel space map-

pings present and once without. When running in user space the mapping without the kernel space is used. The idea of KAISER has been integrated into all major operating systems, e.g., in Linux as KPTI [39], in Windows as KVA Shadow [28], and in Apple's xnu kernel as double map [35]. While KAISER costs performance, the use of PCID and ASID on modern processors reduced the overheads for real-world workloads to almost zero [14]. More recent processors ship with hardware patches and hence have the KAISER patch disabled by default [8].

#### 2.5 Exception Creation

As explained in Section 2.4, in a Meltdown-type attack the attacker exploits the deferred enforcement of permissions (i.e., deferred exception handling) present in Intel CPUs in order to obtain privileged information. In the original Meltdown attack [37], the attacker exploits the delayed enforcement of the User / Supervisor bit in the CPU's hardware in order to read privileged information and subsequently leak it through a covert channel. Next, in Foreshadow [55] and Foreshadow-NG [57], the attacker exploits the fault cases of a page marked as non-present and therefore cannot be accessed.

## 2.6 Exception Suppression

One problem common to Meltdown-type attacks is that the instructions they exploit cause exceptions, which by default terminate the program. Four main approaches have been suggested for handling this termination. In the fork-and-crash approach, a forked process executes the attack, and its parent resumes after the process terminates. Exception handling sets up a signal handler to catch the exception and resume execution. A third option suppresses the exception by wrapping the attack code in a mispredicted branch or call, which speculatively executes the attack. Finally, the exception can be suppressed by wrapping it in a hardware transaction. The last approach is the most effective [37] and most widely applicable [55, 57]. Given its applicability, in Section 2.7 below, we provide additional details about exception suppressing using hardware transactions. We refer interested readers to [37] for further information on the other approaches.

# 2.7 Transactional Memory

Intel's Transactional Synchronization Extensions (TSX) is an instruction set extension to the x86-64 architecture that supports hardware transactions. In a nutshell, a transaction is a sequence of instructions that are either executed atomically or not executed at all. Atomic execution implies that concurrent threads cannot observe intermediate updates from the transaction and the thread executing the transaction cannot observe any changes from other threads.

**Implementing TSX Transactions.** Transactions are delimited by two instructions. The XBEGIN instruction starts a transaction and XEND terminates it. The XBEGIN instruction also specifies an abort location where execution continues if the transaction fails. Transaction implementation mostly relies on existing processor mechanisms. Instructions following XBEGIN are not retired and instead are kept in the reorder buffer until the XEND is executed. If the transaction is aborted, all pending instructions in the transaction are discarded, and the architectural state of the processor is reverted to the state before the XBEGIN. To revert memory state and to maintain atomicity, memory stores inside a transaction modify the L1 cache but are not evicted to lower memory layers, and memory lines read in a transaction remain in the last-level cache. TSX locks the affected lines to protect against concurrent modifications and reads of modified lines.

**Transaction Aborts.** If concurrent processes try to write to these locked lines, the transaction aborts and is rolled back. Similarly, if the processor runs out of cache space for the transaction data, the transaction aborts. This behavior of TSX transactions has been exploited for both side-channel attacks and defenses [9, 15, 51]. Transactions also abort in other scenarios. In particular, transactions abort when the processor receives an exception or if an instruction within the transaction causes a fault. Thus, when a Meltdown-type attack is enclosed in a TSX transaction, the faulting instruction causes a transaction abort, which effectively reverses the architectural state of the processor to the state prior the XBEGIN instruction, suppressing the fault. Yet, as [37] observe, the microarchitectural state of the processor is not reverted when a transaction aborts, allowing the attacker to recover information from the aborted instructions.

# 3 The Write Transient Forwarding Optimiza-

In this section, we discuss the WTF optimization that is exploited with the Fallout attack. First, we will illustrate the basic idea of Fallout with a simple toy example before discussing the hardware mechanisms responsible for the attack.

## 3.1 A Toy Example

Listing 1 shows a simple code snippet which exploits the WTF optimization to read variables without directly accessing them. While this example does not have security implications on its own, it nonetheless shows the general concept behind Fallout, allowing user-level code to read information stored in the CPU's store buffer without directly accessing the address corresponding to that information.

**Setup.** First, 2 pages are allocated. The victim\_page is a user space accessible page where the user can store and read data. However, by setting the protection level to PROT\_NONE

```
char* victim_page = mmap(..., PAGE_SIZE, ...);
  char* attacker_page = mmap(..., PAGE_SIZE,
       . . . ) ;
   mprotect(attacker_page, PAGE_SIZE, PROT_NONE);
   offset = 7;
   victim_page[offset] = 42;
   if (tsx_begin() == 0) {
    memory_access(lut + 4096 * attacker_page[
         offset]);
11
12
13 for (i = 0; i < 256; i++)
    if (flush_reload(lut + i * 4096)) {
14
15
       report (i);
16
```

Listing 1: Pseudocode of Fallout. Some mmap parameters were omitted for clarity

on the attacker\_page, all access permissions to this page are revoked and the page is marked as *not-present*. Thus, any access to the attacker\_page will yield an exception.

Next, we write the value 42 to the offset 7 of the victim\_page. Rather than executing the write to memory immediately, the processor first notes the operation in the store buffer. We note that the code in Listing 1 never reads from the victim\_page directly.

Reading Previous Stores. Instead of reading from the victim page at the specified offset, the code starts a TSX transaction (Line 8) and reads from the attacker\_page. As the page is inaccessible, the memory access will fail and the TSX transaction aborts. However, the exception will be only handled by the reorder buffer when the memory access operation is retired. In the meantime, due to the WTF optimization, the CPU will transiently forward the value of the previous store at the same page offset. Thus, the memory access will pick-up the value of the store to the victim\_page, in this example 42. Using a cache-based covert channel, the incorrectly forwarded value is transmitted. Finally, when the failure and transaction abort are handled, the architectural effects of the transiently executed code are reverted.

Recovering the Leaked Data. Using Flush+Reload, the attacker can recover the leaked value from the cache-based covert channel in Line 14. Fig. 2 displays the results of measured access times to the look-up-table (lut) on a Meltdownresistant i9-9900K CPU. As the figure illustrates, the typical access time to an array element is above 200 cycles, with the exception of element 42, where the access time is well below 100 cycles. We note that this position matches the value written to target\_page. Hence, the code can recover the value without directly reading it.



Figure 2: Access times to the probing array during the execution of Listing 1. The dip at 42 represents a correct recovery of the value from the store buffer.

#### 3.2 The Mechanism Behind Fallout

We now turn our attention to the *store buffer*, a microarchitectural component, which lies in the core of WTF and Fallout.

**The Store Buffer Implementation.** When the CPU writes data to memory, it needs to first resolve the virtual address to a physical address. Then it acquires exclusive access to the cache line of the target data. Rather than waiting, the processor stores the information to the store buffer.

Fig. 3 shows the structure of the store buffer according to Intel patents [2, 3]. Based on these patents, a store operation is implemented using two  $\mu$ OPs, store address (STA) and store data (SDA). Splitting the operation to two  $\mu$ OPs allows the processor to process the parts independently and asynchronously.

Asynchronous processing raises the issue of memory ordering. Specifically, operations that access the same memory locations must be performed at the order specified in the program and, in particular, load operations should get the value from preceding stores to the same address. Intel published some properties of the store buffer [27]. However, we are not aware of any public documentation of the algorithms used for resolving memory access conflicts. Intel's patents on the topic [2,3,34] suggest that the store buffer is virtually indexed, but each entry also includes parts of the physical address, such that mismatches on the partial addresses ensure the absence of dependencies, allowing loads to proceed without waiting for full address resolution.

**Write Transient Forwarding.** An algorithm for handling partial address matches appears in another Intel patent [22]. Remarkably, the patent explicitly states that:

"if there is a hit at operation 302 [partial match using page offsets] and the physical address of the load or the store operations is not valid, the physical address check at operation 310 [full physical address match] may be considered as a hit"

That is, if address translation of a load  $\mu$ OP fails and the 12 least significant bits of the load address match those of a prior store, the processor assumes that the physical addresses of the load and the store match and forwards the previously stored value to the load  $\mu$ OP. We note that the failed load is



Figure 3: Structure of the store buffer on Intel CPUs.

transient and will not retire, hence WTF has no architectural implications. However, as this work demonstrates, microarchitectural side effects of transient execution following the failed load may result in inadvertent information leaks. Given the surprising nature of this optimization and its security consequence, we refer to it as the Write Transient Forwarding (WTF) optimization.

**Fault and Suppression Mechanisms.** To better understand the WTF mechanism, we evaluate the toy example in Listing 1 with multiple combinations of causes of faults and fault-suppression mechanisms. We experimented with three Intel processors: a Coffee Lake R i9-9900K, a Kaby Lake i7-7600U, and a Skylake i7-6700. We summarize the results in Table 1.

We observe that unlike earlier generations, the Coffee Lake R processor exhibits a different behavior based on the fault suppression mechanism. Specifically, in the example in Listing 1 replacing the TSX fault suppression mechanism with branch misprediction does not trigger the WTF optimization, and the value does not leak. We suspect that the processor inhibits some forms of speculative execution within branch misprediction while allowing it in TSX transactions. Moreover, the Coffee Lake R processor does not seem to trigger the WTF optimization when a load fails due to a read from a kernel page. We note that transient reads from such pages is the main cause of the Meltdown bug. Thus, we conjecture that the differences in behavior between the processor generations are due to the recent mitigations for the Meltdown and Foreshadow attacks introduced in the Coffee Lake R architecture [REFS].

Also note that, for completeness, we tested whether WTF can be triggered by Supervisor Mode Access Prevention (SMAP) features in recent Intel processors. For this experiment, we explicitly dereference a user space pointer in kernel mode such that SMAP raises an architectural fault. We observed that SMAP violations may successfully trigger the WTF optimization. While we do not consider this to be an exploitable attack scenario, SMAP was to te best of our knowl-



Figure 4: Measuring the size of the store buffer on Kaby Lake and Coffee Lake machines. In the experiment, we perform multiple writes to the store buffer and subsequently measure the probability of retrieving the value of the first (oldest) store. The results agree with 56 entries in the store buffer and with a static partitioning between hyperthreads.

edge previously considered to be immune to any Meltdowntype effects [6].

**Coffee Lake R Regression.** We also note a troubling *regression* in Intel's newest architecture. When accessing a page marked as non-present, we can only trigger the WTF optimization on the Coffee Lake Refresh processor.

# 3.3 Measuring the Store Buffer Size

We now turn our attention to measuring the size of the store buffer. Intel advertises that Skylake processors have 56 entries in the store buffer [41]. We could not find any publications specifying the size of the store buffer in newer processors, but as both Kaby Lake and Coffee Lake R are not major architectures, we assume that the size of the store buffers has not changed. As a final experiment in this section, we now attempt to use Fallout to confirm this assumption. To that aim, we perform a sequence of store operations, each to a different address. We then use a faulty load aiming to trigger a WTF optimization and retrieve the value stored in the first (oldest) store instruction. For each number of stores, we attempt 100 times at each of the 4096 page offsets, to a total of 409,600 per number of stores. Fig. 4 shows the likelihood of triggering the WTF optimization as a function of the number of stores for each of the processor and configurations we tried. We see that we can trigger the WTF optimization provided that the sequence has up to 55 stores. This number matches the known data for Skylake and confirms our assumption that it has not changed in the newer processors.

The figure further shows that merely enabling hyperthreading does not change the store buffer capacity available to the process. However, running code on the second hyperthread of a core halves the available capacity, even if the code does not perform any store. This confirms that the store buffers are statically partitioned between the hyperthreads [27], and

| Fault Suppression  | Transactional Memory (TSX) |               | Branch Misprediction |               |
|--------------------|----------------------------|---------------|----------------------|---------------|
| Architecture       | Pre Coffee Lake R          | Coffee Lake R | Pre Coffee Lake R    | Coffee Lake R |
| User not present   | X                          | $\bigcirc$    | X                    | ×             |
| Kernel data        | ✓                          | ×             | ✓                    | <b>(X</b> )   |
| Kernel code        | ✓                          | ✓             | ✓                    | ✓             |
| Kernel not present | X                          | X             | X                    | ×             |
| SMAP               | ✓                          | <b>√</b>      | ✓                    | ×             |

Table 1: Evaluating different fault-inducing and fault-suppression mechanisms on Intel architectures before Coffee Lake R and on Coffee Lake R. 

indicates that our attack can successfully leak data, while indicates no leakage was observed. Finally, we denote the case of the Coffee Lake R regression with indicates following hardware countermeasures are marked with indicates that our attack can successfully leak data, while indicates no leakage was observed. Finally, we denote the case of the Coffee Lake R regression with indicates that our attack can successfully leak data, while indicates no leakage was observed. Finally, we denote the case of the Coffee Lake R regression with indicates that our attack can successfully leak data, while indicates no leakage was observed. Finally, we

also shows that partitioning takes effect only when both hyperthreads are active.

#### 4 Using Fallout to Break Kernel Isolation

In this section, we show that Fallout can leak information from the OS kernel to unprivileged users. We first explore a contrived scenario where a dedicated kernel module writes data without doing any useful computation. We then proceed to a more realistic scenario and show leakage from real code running inside the kernel.

## 4.1 Leaking Memory Writes from the Kernel

Our proof-of-concept implementation consists of two components. The first is a kernel module that writes to a predetermined virtual address in a kernel page. The second is a user application that performs a faulty load from an address in a user page, such that the page offset of this address the same as the page offset the kernel module writes to. Exploiting the WTF optimization, the user application can retrieve the data written by the kernel. We now proceed to describe both parts of our proof-of-concept implementation.

The Kernel Module. Our kernel module performs a sequence of write operations each to a different page offset in a different kernel page. These pages, like other kernel pages, are not directly accessible to user code. On older processors, such addresses may be accessible indirectly via Meltdown. However, we do not exploit this and assume that the user code does not or cannot exploit Meltdown.

The Attacker Application. The attacker application aims to retrieve kernel information that would normally be inaccessible outside the kernel. The attacker code first uses mprotect to revoke access to a page. It then invokes the kernel module to perform the kernel writes. When the kernel module returns, the attacker performs a faulty load from the protected page, before transiently leaking the value through a covert cache channel.

**Increasing the Window for the Faulty Load.** To increase the time window for the faulty load, our attacker code further



Figure 5: Probability of recovering kernel values from user space as a function of the number of kernel stores.

delays processing the kernel store by performing a sequence of store operations before invoking the kernel module. Store buffer entries are processed and stored in the cache in program order [2, 3, 22, 29]. Thus, filling the store buffer delays processing of later stores. We further increase the effect of these store operations by first flushing the addresses they write to from the cache.

**Experimental Evaluation.** We measure the number of stores that the kernel needs to perform for Fallout to be able to recover a value it stores before returning user space. We use our three Intel machines with a fully updated Ubuntu 16.04, keeping the kernel mapped in the process's address space. Fig. 5 shows the results of our evaluation, where each experiment is repeated 409,600 times, 100 at each possible page offset. As the figure shows, after about 10 kernel writes the attacker can use Fallout to recover a value written by the kernel on both machines with about 80% probability.

On processors vulnerable to Meltdown, leaving the kernel mapped in the process's address space disables KPTI, allowing Meltdown attacks on the kernel. For the Coffee Lake R processor, which includes hardware countermeasures for Meltdown, KPTI is disabled by default. In particular, the experiments for this processor in Fig. 5 are with the default Ubuntu configuration. Ironically, this means that the hardware countermeasures in Intel's latest CPU generations make

them more vulnerable to Fallout.

#### 4.2 Attack on the AES-NI Key Schedule

The attack we describe above assumes the most favorable scenario for the attacker. We now proceed to a more realistic scenario where we show that when the kernel processes a secret encryption key it may leak enough information for the user process to recover the key.

The Linux Kernel cryptography API supports several standard cryptographic schemes that are available to third-party kernel modules and device drivers which need cryptography. For example, the Linux key management facility and disk encryption services, such as eCryptfs [21], heavily rely on this cryptographic library.

To show leakage from the standard cryptographic API, we implemented a kernel module that uses the library to provide user applications with an encryption oracle. We further implemented a user application that uses the kernel module. The AES keys that the kernel module uses are only stored in the kernel and are never shared with the user. However, our application exploits Fallout to leak these keys from the kernel. We now describe the attack in further details.

**AES and AES-NI.** A 128-bit AES encryption or decryption operation consists of 10 *rounds*. The AES key schedule algorithm expands the AES master key to generate a separate 128-bit *subkey* for each of these rounds. An important property of the key scheduling algorithm is that it is reversible. Thus, given a subkey, we can reverse the key scheduling algorithm to recover the master key. For further information on AES, see [44].

Because encryption is a performance-critical operation and to protect against side-channel attacks [46], recent Intel processors implement the AES-NI instruction set [20], which provides instructions that perform parts of the AES operations. In particular the AESKEYGENASSIST instruction performs part of the key schedule algorithm.

```
1 aeskeygenassist $0x1, %xmm0, %xmm1
  callq <_key_expansion_128>
   aeskeygenassist $0x2, %xmm0,
  callq <_key_expansion_128>
   <_key_expansion_128>:
  pshufd $0xff, %xmm1, %xmm1
  shufps $0x10, %xmm0, %xmm4
          %xmm4,%xmm0
  pxor
  shufps $0x8c, %xmm0, %xmm4
11 pxor
          %xmm4,%xmm0
12 pxor
          %xmm1,%xmm0
13 movaps %xmm0, (%r10)
14 add
          $0x10,%r10
15 retq
```

Listing 2: AES-NI Key Schedule

**Key Scheduling in Linux.** The Linux implementation



Figure 6: Frequency of observed leaked values. We note that offset 0x110 shows more leakage then others. Confirming against the ground truth, we find that all the leaked values at that offset match the subkey byte.

stores the master key and the 10 subkeys in consecutive memory locations. With each subkey occupying 16 bytes, the total size of the expanded key is 176 bytes. Where available, the Linux Kernel cryptography API uses AES-NI for implementing the AES functionality. Part of the code that performs key scheduling for 128-bit AES appears in Listing 2. Lines 1 and 3 invoke AESKEYGENASSIST to perform a step of generating a subkey for a round. The code then calls the function \_key\_expansion\_128, which completes the generation of the subkey. The process repeats ten times, once for each round. (To save space we only show two rounds.)

\_key\_expansion\_128 starts at Line 6. It performs the operations needed to complete the generation of a 128-bit AES subkey. It then writes the subkey to memory (Line 13) before advancing the pointer to prepare for storing the next subkey (Line 14) and returning.

**Finding the Page Offset.** Our aim is to capture the key by leaking the values stored in Line 13. For that, the user application repeatedly invokes the kernel interface that perform the key expansion as part of setting up an AES context. Because the AES context is allocated dynamically, its address depends on the state of the kernel's memory allocator at the time the context is allocated. This prevents immediate use of Fallout because the attacker does not know where the subkeys are stored.

We use Fallout to recover the page offset of the AES context. Specifically, the user application scans page offsets. For each offset it asks the kernel module to initialize the AES context. It then performs a faulty load from a protected page at the scanned offset, and checks if any data leaked. To reduce the number of scanned offsets, we observe that, as described above, the size of the expanded key is 176 bytes. Hence, we can scan at offsets that are 128 bytes apart and have the confidence that at least one of these offsets falls within the expanded key. Indeed, running the attack for 5 minutes we get Fig. 6. The figure shows the number of leaked values at each offset over the full five minutes. We note the spike at

offset 0x110. We compare the result to the ground truth and find that the expanded key indeed falls at offset 0x110. We further find that the leaked byte matches the value at page offset 0x110.

**Key Recovery.** Once we find one offset within the expanded key, we know that neighboring offsets also fall within the expanded key and we can use Fallout to recover the other key bytes. We experiment with 10 different randomly selected keys and find that we can recover the 32 bytes of the subkeys of the two final rounds (rounds 9 and 10) without errors within two minutes. Reversing the key schedule on the recovered data gives us the master key.

#### 5 Using Fallout to Break KASLR

We now show how Fallout can be used to break Kernel Address Space Layout Randomization (KASLR).

#### 5.1 KASLR Background

Code injection attacks are a type of vulnerability where the attacker injects code to the address space of the victim and subsequently diverts the victim's control flow to execute the injected code. A common protection for such attacks is to adopt a policy where memory pages are either writable or executable, but never both.

ROP and Return-to-Libc Attacks. Return-to-libc [52] and return oriented programming (ROP) [50] are two related techniques that reuse existing code for exploiting memory corruption vulnerabilities. In a nutshell, by overwriting the stack, the attacker can hijack the control flow, and direct execution into *gadgets* that exist in the victim's code or in linked libraries. [50] demonstrates that a typical library contains enough gadgets that, when threaded, can perform arbitrary computation.

**ASLR.** Address Space Layout Randomization (ASLR) is a probabilistic countermeasure for ROP. The main idea is to introduce randomness the in the victim memory layout, hiding it from the attacker. That is, when a process is initialized, ASLR randomizes the locations of the code and the data (see Fig. 7 (top)). With ASLR, the attacker needs to find the addresses of code gadgets to be able to use them.

**KASLR on Linux Systems.** On Linux systems, KASLR had been supported since kernel version 3.14 and enabled by default since around 2015. As [30] note, the amount of entropy present depends on the kernel address range as well as on the alignment size which is usually multiple of page size.

**KASLR and KPTI.** As a countermeasure to the Meltdown attack [37], OSs running on Intel processors up to the latest Coffee Lake architecture have deployed the Kernel Page Table Isolation (KPTI) mechanism, which removes the kernel from the address space of user processes (see Fig. 7 (bottom)). To



Figure 7: (Top) Address space layout with KASLR but without KPTI. (Bottom) User address space with KASLR and KPTI. Most of the kernel is not mapped in the process's address space anymore.

allow the process to switch to the kernel address space, the system leaves at least one kernel page in the address space of the user process. Because the pages required for the switch do not contain any secret information, there is no need to hide it from Meltdown.

The KPTI patch is based on KAISER [16], which was originally designed to protect the kernel from side-channel attacks that break KASLR [18, 24, 30]. We now proceed to show that Fallout can reveal the location of the kernel entry page left in the user address space, thereby breaking KASLR.

## 5.2 Using Fallout to Break Kernel ASLR

Attack Overview. Our attack is based on the disparity between the effects of causes of faults (see Table 1). Specifically, we note that when accessing an unmapped kernel page, the WTF optimization is not triggered and the Fallout attack fails. Thus, to perform the attack, we replace the read from attacker\_page in Line 9 with a read from a page within the kernel address range. When the page we access is mapped, Fallout succeeds and we retrieve a value from the store buffer. Otherwise no value is retrieved from the store buffer.

**Experimental Setup.** We evaluate Fallout on two Intel machines, a Kaby Lake i7-7600U and a Coffee Lake R i9-9900K. Both machines run a fully updated Ubuntu 16.04 system, with all countermeasures in their default configuration. On both systems, we empirically test the possible locations on the kernel in its address space obtaining about 490 locations, implying about 9 bits of entropy.

**Experimental Results.** We run the attack 1000 times each, on both the Kaby Lake and the Coffee Lake machines. Our attack can recover the kernel location with 100% accuracy on both machines, within about 0.27 seconds.

#### 6 Transient Execution and Microcode Assists

Recall (Section 2.4) that [6] classifies transient execution attacks based on the cause of transient execution. Spectre-type attacks are caused by misprediction of data or control flow, whereas Meltdown-type attack are caused by transient execution beyond a fault. We now investigate *microcode assists*, a microarchitectural mechanism that has not yet been explored in the context of transient execution attacks. We identify  $\mu$ OP redispatching, which occurs as part of invoking microcode assists, as a new cause for transient execution that extends the classification of [6].

#### **6.1** Microcode Assists

 $\mu$ OPs are typically implemented in hardware. However, when complex processing is required for rare corner cases, it may not be cost effective to implement some of the functionality in hardware. Instead, if such a case occurs during the execution of a  $\mu$ OP, the  $\mu$ OP is *redispatched*, i.e., sent back to the dispatch queue for execution, together with a *microcode assist*, a microcode procedure that handles the more complex scenario.

The Intel optimization manual [27] lists two scenarios in which microcode assists are invoked: when handling subnormal floating point numbers and in some cases during the processing of the VMASKMOV (Conditional SIMD Packed Loads and Stores) instruction. [7] lists further scenarios.

In this work we are interested in microcode assists that occur as part of the virtual to physical address translation. While Intel does not publish official documentation on the process, it has applied for a related patent [13], on which we base our discussion. We only describe the parts of the patent that are relevant to this work. We refer the reader to the patent application for a more complete description.

When the processor handles a memory access (load or store) it needs to translate the virtual address specified by the program to the corresponding physical address. For that, the processor first consults the Data Translation Look-aside Buffer (DTLB), which caches the results of recent translations. In the case of a page miss, i.e., when the virtual address is not found in the DTLB, the page miss handler (PMH) attempts to consult the page map to find the translation. In most cases this translation can be done while the  $\mu$ OP is speculative. However, in some cases the page walk has side effects that cannot take place until the  $\mu$ OP retires. Specifically, store operations should mark pages as dirty and all memory operations should mark pages as accessed. Performing these side effects while the  $\mu$ OP is speculative risks generating an architecturally-visible side effect for a transient  $\mu$ OP. (Recall that the processor cannot determine whether speculative  $\mu$ OPs will retire or not.) At the same time, recording all the information required for setting the bits on retirement would require a large amount of hardware that will only be used in relatively

rare cases. Thus, to handle these cases, the processor redispatches the  $\mu$ OP and arranges for a microcode assist to set the bits when the  $\mu$ OP retires.

#### **6.2** Fallout and Microcode Assists

To test the effects of microcode assists on Fallout, Use the code in Listing 3. The code is basically the same as Listing 1, except that we use SGX-Step [5] to replace the call to mprotect and instead mark attack\_page as not accessed (Line 7). Furthermore, because microcode assists do not generate faults, we do not need fault suppression, and remove the TSX transaction.

Listing 3: Pseudocode of Fallout with microcode assists. Note that no fault suppressison is required.

Recovering the Leaked Data. As in Section 3.1 we use Flush+Reload to recover the leaked data. We repeat the experiment on three processor generations: Skylake, Kaby Lake, and Coffee Lake R. In all architectures reading from the entry in the probe array corresponding to the value 42 has a short access time.

# 6.3 Assist-based vs. Meltdown-type

[6] list several properties of Meltdown-type attacks. Assist-based transient execution shares *some* properties with Meltdown. Specifically, it relies on deferred termination of a  $\mu$ OP to bypass hardware security barriers and attacks based on it can be mitigated by preventing the original leak. However, unlike Meltdown-type techniques, assists do not rely on faults. Consequently, no fault suppression techniques are required.

# 7 Countermeasures

**Flushing-Based Countermeasures.** Because the store buffer is not shared across hyperthreads, leaks can only occur when the security domain changes within a hyperthread.

Thus, flushing the store buffer on security domain change is sufficient to mitigate the attack. In particular, we verified that using MFENCE as part of the switch from kernel mode to user mode thwarts the attack.

**Limitations.** As mentioned above, the attacks described in Section 4 are unable to leak information across hyperthreads . Moreover, as Meltdown software countermeasures (KPTI) flush the buffer on leaving the kernel, and as the store buffer is automatically flushed on change of the CR3 register (i.e., on context switch), only latest generation Coffee Lake R machines are vulnerable to the attack described in Section 4. Ironically, the hardware mitigations present in newer generation Coffee Lake R machines make them more vulnerable to Fallout than older generation hardware.

# 8 Conclusion

With Fallout, we demonstrate a novel Meltdow-type effect exploiting a previously unexplored microarchitectural component, namely the store buffer. The attack enables an unprivileged attacker to leak recently written values from the operating system. Furthermore, we demonstrate how Fallout allows to break kernel ASLR with 100% accuracy within 0.27 seconds. While Fallout affects various processor generations, we showed that also recently introduced hardware mitigations are not sufficient and futher mitigations need to be deployed.

# Acknowledgments

This research was supported in part by Intel Corporation. The research presented in this paper was partially supported by the Research Fund KU Leuven. Jo Van Bulck is supported by a grant of the Research Foundation – Flanders (FWO). The project was supported by the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 681402). It was also supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia. Additional funding was provided by a generous gift from Intel. Researchers from Worcester Polytechnic Institute are supported by National Science Foundation under the grant CNS-1618837 and CNS-1814406.

Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties.

## References

[1] Speculative store bypass / CVE-2018-3639 / INTEL-SA-00115. https://software.intel.com/security-software-guidance/software-guidance/speculative-store-bypass, 2018. [Online; accessed 30-January-2019].

- [2] Jeffery M Abramson, Haitham Akkary, Andrew F Glew, Glenn J Hinton, Kris G Konigsfeld, and Paul D Madland. Method and apparatus for performing a store operation. US Patent 6,378,062, April 23 2002.
- [3] Jeffrey M Abramson, Haitham Akkary, Andrew F Glew, Glenn J Hinton, Kris G Konigsfeld, Paul D Madland, David B Papworth, and Michael A Fetterman. Method and apparatus for dispatching and executing a load operation to memory. US Patent 5,717,882, February 10 1998.
- [4] ARM Limited. Vulnerability of speculative processors to cache timing side-channel mechanism. 2018.
- [5] Jo Van Bulck, Frank Piessens, and Raoul Strackx. SGX-Step: A practical attack framework for precise enclave execution control. In SysTEX@SOSP, pages 4:1–4:6, 2017.
- [6] Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. A systematic evaluation of transient execution attacks and defenses. arXiv preprint arXiv:1811.05441, 2018.
- [7] Victor Costan and Srinivas Devadas. Intel SGX explained. IACR Cryptology ePrint Archive, 2016:86, 2016.
- [8] Ian Cutress. Analyzing Core i9-9900K performance with Spectre and Meltdown hardware mitigations. https://www.anandtech.com/ show/13659/analyzing-core-i9-9900k-performance-withspectre-and-meltdown-hardware-mitigations, 2018. [Online; accessed 30-January-2019].
- [9] Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean M. Tullsen. Prime+Abort: A timer-free high-precision L3 cache attack using Intel TSX. In *USENIX Security*, pages 51–67, 2017.
- [10] Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptographic Engineering, 8(1):1–27, 2018.
- [11] Daniel Genkin, Lev Pachmanov, Eran Tromer, and Yuval Yarom. Driveby key-extraction cache attacks from portable code. In ACNS, pages 83–102, 2018.
- [12] Daniel Genkin, Luke Valenta, and Yuval Yarom. May the fourth be with you: A microarchitectural side channel attack on several real-world applications of Curve25519. In CCS, pages 845–858, 2017.
- [13] Andy Glew, Glenn Hinton, and Akkary Haitham. Method and apparatus for performing page table walks in a microprocessor capable of processing speculative instructions. US Patent 5,680,565, 1997.
- [14] Brendan Gregg. KPTI/KAISER Meltdown initial performance regressions, 2018.
- [15] Daniel Gruss, Julian Lettner, Felix Schuster, Olga Ohrimenko, István Haller, and Manuel Costa. Strong and efficient cache side-channel protection using hardware transactional memory. In *USENIX Security*, pages 217–233, 2017.
- [16] Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. KASLR is dead: Long live KASLR. In ESSOS, 2017.
- [17] Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. Flush+Flush: A fast and stealthy cache attack. In DIMVA, 2016.
- [18] Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR. In CCS, 2016.
- [19] Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium, 2015.
- [20] Shay Gueron. Intel advanced encryption standard (AES) new instructions set. White Paper 323641-001. Intel Corp., May 2010.
- [21] Michael Austin Halcrow. eCryptfs: An enterprise-class encrypted filesystem for Linux. In *Linux Symposium*, pages 209–226, 2005.

- [22] Sebastien Hily, Zhongying Zhang, and Per Hammarlund. Resolving false dependencies of speculative load instructions. US Patent 7.603.527, 2009.
- [23] Jann Horn. Speculative execution, variant 4: Speculative store bypass, 2018
- [24] Ralf Hund, Carsten Willems, and Thorsten Holz. Practical timing side channel attacks against kernel space ASLR. In S&P, 2013.
- [25] Intel. Intel analysis of speculative execution side channels, July 2018.
- [26] Intel. Speculative Execution Side Channel Mitigations, May 2018. Revision 3.0.
- [27] Intel Corporation. Intel 64 and IA-32 Architectures Optimization Reference Manual, April 2019.
- [28] Alex Ionescu. Windows 17035 kernel ASLR/VA isolation in practice (like Linux KAISER)., 2017.
- [29] Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. SPOILER: Speculative load hazards boost Rowhammer and cache attacks. arXiv preprint arXiv:1903.00446, 2019.
- [30] Yeongjin Jang, Sangho Lee, and Taesoo Kim. Breaking kernel address space layout randomization with Intel TSX. In CCS, pages 380–392, 2016.
- [31] Vladimir Kiriansky and Carl Waldspurger. Speculative buffer overflows: Attacks and defenses. *arXiv:1807.03757*, 2018.
- [32] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution. In S&P, 2019.
- [33] Esmaeil Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. Spectre returns! speculation attacks using the return stack buffer. In WOOT, 2018.
- [34] Steffen Kosinski, Fernando Latorre, Niranjan Cooray, Stanislav Shwartsman, Ethan Kalifon, Varun Mohandru, Pedro Lopez, Tom Aviram-Rosenfeld, Jaroslav Topp, and Li-Gao Zei. Store forwarding for data caches. US Patent 9,507,725, 2012.
- [35] Jonathan Levin. *Mac OS X and IOS Internals: To the Apple's Core*. John Wiley & Sons, 2012.
- [36] Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. ARMageddon: Cache attacks on mobile devices. In USENIX Security Symposium, 2016.
- [37] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown: Reading kernel memory from user space. In USENIX Security, 2018.
- [38] Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. Last-level cache side-channel attacks are practical. In S&P, 2015.
- $[39] \ \ LWN. \ The \ current \ state \ of \ kernel \ page-table \ isolation, \ December \ 2017.$
- [40] Giorgi Maisuradze and Cihristian Rossow. ret2spec: Speculative execution using return stack buffers. In CCS, 2018.
- [41] Julius Mandelblat. Technology insight: Intel's next generation microarchitecture code name Skylake. In Intel

  Developer Forum (IDF15). https://en.wikichip.org/
  w/images/8/8f/Technology\_Insight\_Intel%E2%80%
  99s\_Next\_Generation\_Microarchitecture\_Code\_Name\_Skylake.pdf.
- [42] Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, and Kay Römer. Hello from the other side: SSH over robust cache covert channels in the cloud. In NDSS, 2017.

- [43] Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer, and Toon Verwaest. Spectre is here to stay: An analysis of side-channels and speculative execution. arXiv preprint arXiv:1902.05178, 2019.
- [44] NIST. FIPS 197, advanced encryption standard (AES), 2001.
- [45] Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: the case of AES. In CT-RSA, 2006.
- [46] Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: The case of AES. In CT-RSA, pages 1–20, 2006.
- [47] Colin Percival. Cache missing for fun and profit. In BSDCan, 2005.
- [48] Michael Schwarz, Moritz Lipp, Daniel Gruss, Samuel Weiser, Clémentine Maurice, Raphael Spreitzer, and Stefan Mangard. KeyDrown: Eliminating software-based keystroke timing side-channel attacks. In NDSS, 2018.
- [49] Michael Schwarz, Martin Schwarzl, Moritz Lipp, and Daniel Gruss. NetSpectre: Read arbitrary memory over network. arXiv:1807.10535, 2018.
- [50] Hovav Shacham. The geometry of innocent flesh on the bone: Returninto-libc without function calls (on the x86). In CCS, pages 552–561, 2007.
- [51] Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. T-SGX: eradicating controlled-channel attacks against enclave programs. In NDSS, 2017.
- [52] Solar Designer. Getting around non-executable stack (and fix). Bugtraq mailing list, August 1997.
- [53] Julian Stecklina and Thomas Prescher. LazyFP: Leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480, 2018.
- [54] Robert M Tomasulo. An efficient algorithm for exploiting multiple arithmetic units. *IBM Journal of Research and Development*, 11(1):25– 33, 1967.
- [55] Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In USENIX Security Symposium, 2018.
- [56] Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. RIDL: Rogue in-flight data load. In S&P, 2019.
- [57] Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution. https://foreshadowattack.eu/foreshadow-NG.pdf, 2018.
- [58] Yuval Yarom and Katrina Falkner. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In *USENIX Security*, pages 22–25, 2014.
- [59] Yuval Yarom, Daniel Genkin, and Nadia Heninger. CacheBleed: a timing attack on OpenSSL constant-time RSA. J. Cryptographic Engineering, 7(2):99–112, 2017.
- [60] Xiaokuan Zhang, Yuan Xiao, and Yinqian Zhang. Return-oriented flush-reload side channels on ARM and their implications for android devices. In CCS, pages 858–870, 2016.