index.html

<!DOCTYPE html>
<html lang="en-US">

<head>
	<meta name="generator" content="Hugo 0.115.4">
  <meta http-equiv="X-Clacks-Overhead" content="GNU Terry Pratchett" />
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="https://downfall.page/images/favicon.png" />
<title>Downfall</title>
<meta name="title" content="Downfall" />
<meta name="description" content="Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers." />
<meta name="keywords" content="" />


<meta property="og:title" content="" />
<meta property="og:description" content="Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers." />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://downfall.page/" /><meta property="og:image" content="https://downfall.page/images/share.png"/><meta property="og:site_name" content="Downfall Attacks" />



<meta name="twitter:card" content="summary_large_image"/>
<meta name="twitter:image" content="https://downfall.page/images/share.png"/>

<meta name="twitter:title" content=""/>
<meta name="twitter:description" content="Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers."/>



<meta itemprop="name" content="">
<meta itemprop="description" content="Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers.">
<meta name="referrer" content="no-referrer-when-downgrade" />

  <link rel="alternate" type="application/rss+xml" href="https://downfall.page/index.xml" title="Downfall" />
  <style>
  body {
    font-family: Verdana, sans-serif;
    margin: auto;
    padding: 20px;
    max-width: 720px;
    text-align: left;
    background-color: #fff;
    word-wrap: break-word;
    overflow-wrap: break-word;
    line-height: 1.5;
     
  }

  h1,
  h2,
  h3,
  h4,
  h5,
  h6,
  strong,
  b {
    color: #222;
  }

  a {
    color: #3273dc;
     
  }

  .title {
    text-decoration: none;
    border: 0;
  }

  .title span {
    font-weight: 400;
  }

  nav a {
    margin-right: 10px;
  }

  textarea {
    width: 100%;
    font-size: 16px;
  }

  input {
    font-size: 16px;
  }

  content {
    line-height: 1.6;
  }

  table {
    width: 100%;
  }

  img {
    max-width: 100%;
  }

  code {
    padding: 2px 5px;
    background-color: #f2f2f2;
  }

  pre code {
    color: #222;
    display: block;
    padding: 20px;
    white-space: pre-wrap;
    font-size: 14px;
  }

  div.highlight pre {
    background-color: initial;
    color: initial;
  }

  div.highlight code {
    background-color: unset;
    color: unset;
  }

  blockquote {
    border-left: 1px solid #999;
    color: #222;
    padding-left: 20px;
    font-style: italic;
  }

  footer {
    padding: 25px;
    text-align: center;
  }

  .helptext {
    color: #777;
    font-size: small;
  }

  .errorlist {
    color: #eba613;
    font-size: small;
  }

   
  ul.blog-posts {
    list-style-type: none;
    padding: unset;
  }

  ul.blog-posts li {
    display: flex;
  }

  ul.blog-posts li span {
    flex: 0 0 130px;
  }

  ul.blog-posts li a:visited {
    color: #8b6fcb;
  }

</style>
<link href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet"
integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdn.rawgit.com/jpswalsh/academicons/master/css/academicons.min.css">
<link rel="stylesheet" href="/css/custom.css" />
</head>

<body>
  <header><div id="navbar">
<nav><center><h1>Downfall Attacks</h1></center>
<a href="/">Attack</a>
<a href="/#demo">Demo</a>
<a href="/#faq">FAQ</a>
<a href="/#advisories">Advisories</a>
<a href="/#links">Links</a>
</nav>
</div></header>
  <main>
<p><a href="images/profile.png"><img src="images/profile.png" alt="profile"></a></p>
<p>Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982">CVE-2022-40982</a>, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.</p>
<p>The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible. I discovered that the <em>Gather</em> instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques. You can read the <strong><a href="media/downfall.pdf">paper</a></strong> I wrote about this for more detail. Please cite as follows:</p>
<pre tabindex="0"><code>@inproceedings{moghimi2023downfall,
  title={{Downfall}: Exploiting Speculative Data Gathering},
  author={Moghimi, Daniel},
  booktitle={32th USENIX Security Symposium (USENIX Security 2023)},
  year={2023}
}
</code></pre><p>By <strong><a href="https://moghimi.org/">Daniel Moghimi</a></strong></p>
<hr>
<h2 id="demo">Demo</h2>
<h3 id="stealing-128-bit-and-256-bit-aes-keys-from-another-user">Stealing 128-bit and 256-bit AES keys from another user</h3>

<center><video width="75%"  controls>
    <source src="media/gds_aes.mp4" type="video/mp4">
    Your browser does not support the video tag.
</video></center>
<h3 id="stealing-arbitrary-data-from-the-linux-kernel">Stealing arbitrary data from the Linux Kernel</h3>

<center><video width="75%"  controls>
    <source src="media/gds_memcpy.mp4" type="video/mp4">
    Your browser does not support the video tag.
</video></center>
<h3 id="spying-on-printable-characters">Spying on printable characters</h3>

<center><video width="75%"  controls>
    <source src="media/gds_spy.mp4" type="video/mp4">
    Your browser does not support the video tag.
</video></center>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<hr>
<h2 id="faq">FAQ</h2>
<p><strong>[Q] Am I affected by this vulnerability?</strong></p>
<p>[A]
Most likely, yes. This depends on whether your computing devices (laptop, tablet, desktop, cloud, etc.) use the affected Intel processors. Even if you do not own any physical Intel-based devices, Intel&rsquo;s server market share is more than 70%, so most likely, everyone on the internet is affected.</p>
<p><strong>[Q] Which computing devices are affected?</strong></p>
<p>[A]
Computing devices based on Intel Core processors from the 6th Skylake to (including) the 11th Tiger Lake generation are affected. A more comprehensive list of affected processors will be available <a href="https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html">here</a>.</p>
<p><strong>[Q] What can a hacker do with this?</strong></p>
<p>[A]
A hacker can target high-value credentials such as passwords and encryption keys. Recovering such credentials can lead to other attacks that violate the availability and integrity of computers in addition to confidentiality.</p>
<p><strong>[Q] How practical are these attacks?</strong></p>
<p>[A]
GDS is highly practical. It tooks me 2 weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading.</p>
<p><strong>[Q] Is Intel SGX also affected?</strong></p>
<p>[A]
In addition to normal isolation boundaries e.g., virtual machines, processes, user-kernel isolation, Intel SGX is also affected. Intel SGX is a hardware security feature available on Intel CPUs to protect users&rsquo; data against all form of malicious software.</p>
<p><strong>[Q] What about web browsers?</strong></p>
<p>[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.</p>
<p><strong>[Q] How long have users been exposed to this vulnerability?</strong></p>
<p>[A] At least nine years. The affected processors have been around since 2014.</p>
<p><strong>[Q] Is there a way to detect Downfall attacks?</strong></p>
<p>[A]
It is not easy. Downfall execution looks mostly like benign applications. Theoretically, one could develop a detection system that uses hardware performance counters to detect abnormal behaviors like exessive cache misses. However, off-the-shelf Antivirus software cannot detect this attack.</p>
<p><strong>[Q] Is there any mitigation for Downfall?</strong></p>
<p>[A]
Intel is releasing a microcode update which blocks transient results of gather instructions and prevent attacker code from observing speculative data from <em>Gather</em>.</p>
<p><strong>[Q] What is the overhead for the mitigation?</strong></p>
<p>[A]
This depends on whether <em>Gather</em> is in the critical execution path of a program. According to Intel, some workloads may experience up to 50% overhead.</p>
<p><strong>[Q] Can I disable the mitigation if my workload does not use Gather?</strong></p>
<p>[A]
This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting <em>Gather</em>.</p>
<p><strong>[Q] How long was this vulberability under embargo?</strong></p>
<p>[A]
Almost one year. I reported this vulnerability to Intel August 24, 2022.</p>
<p><strong>[Q] Should other processor vendors and designers be concerned?</strong></p>
<p>[A]
Other processors have shared SRAM memory inside the core, such as hardware register files and fill buffers. Manufacturers must design shared memory units with extra care to prevent data from leaking across different security domains and invest more in security validation and testing.</p>
<p><strong>[Q] How can I learn more about Downfall?</strong></p>
<p>[A]
In addition to the technical <a href="media/downfall.pdf">paper</a>, I am presenting Downfall at the <a href="https://www.blackhat.com/us-23/briefings/schedule/">BlackHat USA on August 9th, 2023</a> and <a href="https://www.usenix.org/conference/usenixsecurity23/presentation/moghimi">USENIX Security Symposium on August 11, 2023</a>.</p>
<p><strong>[Q] Can I play with Downfall?</strong></p>
<p>[A]
Here is the code: <a href="https://github.com/flowyroll/downfall/tree/main/POC">https://github.com/flowyroll/downfall/tree/main/POC</a></p>
<p><strong>[Q] Why is this called Downfall?</strong></p>
<p>[A]
Downfall defeats fundamental security boundaries in most computers and is a successor to previous data leaking vulnerabilities in CPUs including <a href="https://meltdownattack.com/">Meltdown</a> and <a href="https://mdsattacks.com/">Fallout</a> (AKA MDS). In this trilogy, <strong>Downfall</strong> defeats all previous mitigations once again.</p>
<p><strong>[Q] How did you create the logo?</strong></p>
<p>[A]
I used the <a href="https://openai.com/dall-e-2">DALL·E 2</a> AI system to create the logo.</p>
<hr>
<h2 id="advisories">Advisories</h2>
<table>
<thead>
<tr>
<th style="text-align:left">Vendor</th>
<th style="text-align:left">Link</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left">MITRE</td>
<td style="text-align:left"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982">CVE-2022-40982</a></td>
</tr>
<tr>
<td style="text-align:left">Intel</td>
<td style="text-align:left"><a href="https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html">INTEL-SA-00828</a></td>
</tr>
<tr>
<td style="text-align:left">Debian</td>
<td style="text-align:left"><a href="https://security-tracker.debian.org/tracker/CVE-2022-40982">CVE-2022-40982</a></td>
</tr>
<tr>
<td style="text-align:left">Citrix</td>
<td style="text-align:left"><a href="https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982">CTX569353</a></td>
</tr>
<tr>
<td style="text-align:left">Xen</td>
<td style="text-align:left"><a href="https://seclists.org/oss-sec/2023/q3/98">Xen Security Advisory 435 v1</a></td>
</tr>
<tr>
<td style="text-align:left">LWN</td>
<td style="text-align:left"><a href="https://lwn.net/Articles/940783/">Another round of speculative-execution vulnerabilities</a></td>
</tr>
<tr>
<td style="text-align:left">AWS</td>
<td style="text-align:left"><a href="https://aws.amazon.com/security/security-bulletins/AWS-2023-007/">AWS-2023-007</a></td>
</tr>
<tr>
<td style="text-align:left">Redhat</td>
<td style="text-align:left"><a href="https://access.redhat.com/security/cve/cve-2022-40982">CVE-2022-40982</a><a href="https://access.redhat.com/solutions/7027704">Solution</a></td>
</tr>
<tr>
<td style="text-align:left">VMWare</td>
<td style="text-align:left"><a href="https://blogs.vmware.com/security/2023/08/cve-2022-40982.html">VMware Response to Gather Data Sampling (GDS)</a></td>
</tr>
<tr>
<td style="text-align:left">Dell</td>
<td style="text-align:left"><a href="https://www.dell.com/support/kbdoc/en-us/000216234/dsa-2023-180">DSA-2023-180</a> <a href="https://www.dell.com/support/kbdoc/en-us/000216460/dsn-2023-002-aug-2023-intel-security-advisories-impact-on-dell-products">DSN-2023-002</a></td>
</tr>
<tr>
<td style="text-align:left">HP</td>
<td style="text-align:left"><a href="https://support.hp.com/us-en/document/ish_9021973-9021997-16/hpsbhf03859">HPSBHF03859</a></td>
</tr>
<tr>
<td style="text-align:left">GCP</td>
<td style="text-align:left"><a href="https://cloud.google.com/support/bulletins#gcp-2023-024">GCP-2023-024</a></td>
</tr>
<tr>
<td style="text-align:left">QUBES</td>
<td style="text-align:left"><a href="https://forum.qubes-os.org/t/qsb-093-transient-execution-vulnerabilities-in-amd-and-intel-cpus-cve-2023-20569-xsa-434-cve-2022-40982-xsa-435/20299">QSB-093</a></td>
</tr>
<tr>
<td style="text-align:left">Lenovo</td>
<td style="text-align:left"><a href="https://support.lenovo.com/us/en/product_security/LEN-134879">LEN-134879</a></td>
</tr>
<tr>
<td style="text-align:left">Supermicro</td>
<td style="text-align:left"><a href="https://www.supermicro.com/en/support/security_Intel_IPU2023.3_Update">Intel Platform Update (IPU) Update 2023.3</a></td>
</tr>
<tr>
<td style="text-align:left">Ubuntu</td>
<td style="text-align:left"><a href="https://ubuntu.com/security/CVE-2022-40982">CVE-2022-40982</a></td>
</tr>
<tr>
<td style="text-align:left">OVHCloud</td>
<td style="text-align:left"><a href="https://help.ovhcloud.com/csm/en-dedicated-servers-downfall-vulnerability?id=kb_article_view&amp;sysparm_article=KB0059180">KB0059180</a></td>
</tr>
<tr>
<td style="text-align:left">SUSE</td>
<td style="text-align:left"><a href="https://www.suse.com/security/cve/CVE-2022-40982.html">CVE-2022-40982</a></td>
</tr>
<tr>
<td style="text-align:left">Tenable</td>
<td style="text-align:left"><a href="https://www.tenable.com/cve/CVE-2022-40982">CVE-2022-40982</a></td>
</tr>
<tr>
<td style="text-align:left">NetApp</td>
<td style="text-align:left"><a href="https://security.netapp.com/advisory/ntap-20230811-0001/">CVE-2022-40982</a></td>
</tr>
<tr>
<td style="text-align:left">F5 Networks</td>
<td style="text-align:left"><a href="https://my.f5.com/manage/s/article/K000135795">K000135795</a></td>
</tr>
<tr>
<td style="text-align:left">Cloud Linux</td>
<td style="text-align:left"><a href="https://blog.cloudlinux.com/securing-your-cloudlinux-server-mitigating-new-intel-and-amd-cpu-vulnerabilities">Securing Your CloudLinux Server</a></td>
</tr>
</tbody>
</table>
<hr>
<h2 id="links">Links</h2>
<ul>
<li>
<p><a href="https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html">Gather Data Sampling</a> Intel</p>
</li>
<li>
<p><a href="https://www.bleepingcomputer.com/news/security/new-downfall-attacks-on-intel-cpus-steal-encryption-keys-data/">New Downfall attacks on Intel CPUs steal encryption keys, data</a> Bleeping Computer</p>
</li>
<li>
<p><a href="https://security.googleblog.com/2023/08/downfall-and-zenbleed-googlers-helping.html">Downfall &amp; Zenbleed: Googlers helping secure the ecosystem</a> Google Security Blog</p>
</li>
<li>
<p><a href="https://www.techtarget.com/searchsecurity/news/366547448/Google-unveils-Downfall-attacks-vulnerability-in-Intel-chips?Offer=abt_pubpro_AI-Insider">Google unveils Downfall attacks, vulnerability in Intel chips</a> Tech Target</p>
</li>
<li>
<p><a href="https://www.wired.com/story/downfall-flaw-intel-chips/">New &lsquo;Downfall&rsquo; Flaw Exposes Valuable Data in Generations of Intel Chips</a> Wired</p>
</li>
<li>
<p><a href="https://cyberscoop.com/downfall-intel-cpu-vulnerability/">&lsquo;Downfall&rsquo; vulnerability leaves billions of Intel CPUs at risk</a> Cyberscoop</p>
</li>
<li>
<p><a href="https://www.phoronix.com/review/downfall">Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications</a> Phoronix</p>
</li>
<li>
<p><a href="https://www.helpnetsecurity.com/2023/08/09/downfall-cve-2022-40982/">Downfall attacks can gather passwords, encryption keys from Intel processors</a> Helpnet Security</p>
</li>
<li>
<p><a href="https://www.pcworld.com/article/2025589/downfall-serious-security-vulnerability-in-billions-of-intel-cpus-how-to-protect-yourself.html">Intel &lsquo;Downfall&rsquo;: Severe flaw in billions of CPUs leaks passwords and much more</a> PC World</p>
</li>
<li>
<p><a href="https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/">Downfall: New Intel CPU Attack Exposing Sensitive Information</a> Security Week</p>
</li>
<li>
<p><a href="https://www.tomshardware.com/news/intel-downfall-vulnerability">Intel &lsquo;Downfall&rsquo; Bug Steals Encryption Keys, Data From Years of CPUs</a> tom&rsquo;s Hardware</p>
</li>
<li>
<p><a href="https://www.macworld.com/article/2026071/intel-downfall-vulnerability-macs-affected.html">Are Macs affected by that scary Intel &lsquo;Downfall&rsquo; vulnerability?</a> Macworld</p>
</li>
<li>
<p><a href="https://arstechnica.com/information-technology/2023/08/data-leaking-downfall-bug-affects-six-generations-of-intel-pc-and-server-cpus/">&ldquo;Downfall&rdquo; bug affects years of Intel CPUs, can leak encryption keys and more</a> Ars Technia</p>
</li>
<li>
<p><a href="https://www.darkreading.com/threat-intelligence/downfall-bug-billions-intel-cpus-design-flaw">&lsquo;Downfall&rsquo; Bug in Billions of Intel CPUs Reveals Major Design Flaw</a> Dark Reading</p>
</li>
<li>
<p><a href="https://www.theregister.com/2023/08/09/google_intel_downfall/">Say hello to Downfall, another data-leaking security hole in several years of Intel chips</a> The Register</p>
</li>
<li>
<p><a href="https://www.scmagazine.com/news/downfall-flaw-leaves-most-intel-cpus-open-to-nearly-undetectable-attack">‘Downfall’ flaw leaves most Intel CPUs open to nearly undetectable attack</a> SC Media</p>
</li>
<li>
<p><a href="https://www.techrepublic.com/article/intel-downfall-bug/">Downfall Vulnerability Affects Millions of Intel CPUs With Strong Data Leak Impact</a> Tech Republic</p>
</li>
<li>
<p><a href="https://wccftech.com/intel-cpus-witness-downfall-in-performance-after-downfall-vulnerability-mitigations-applied/">Intel CPUs Witness Downfall In Performance After “Downfall” Vulnerability Mitigations Applied</a> WCCF Tech</p>
</li>
<li>
<p><a href="https://www.digitaltrends.com/computing/downfall-vulnerability-intel-cpus-are-leaking-passwords/">Billions of Intel CPUs are leaking passwords and killing performance</a> Digital Trends</p>
</li>
<li>
<p><a href="https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-patches/">AMD and Intel CPU security bugs bring Linux patches</a> ZD Net</p>
</li>
<li>
<p><a href="https://www.pcgamer.com/intel-downfall-cpu-vulnerability-exposes-sensitive-data/">Intel &lsquo;Downfall&rsquo; CPU vulnerability exposes sensitive data</a> PC Gamer</p>
</li>
<li>
<p><a href="https://www.tomshardware.com/news/intel-downfall-mitigation-performance-drop-linux">Intel&rsquo;s Downfall Mitigations Drop Performance Up to 39%, Tests Show</a> tom&rsquo;s Hardware</p>
</li>
<li>
<p><a href="https://www.openssl.org/blog/blog/2023/08/15/downfall/">OpenSSL Statement on the Recent Intel/AMD Downfall/Inception Vulnerabilities</a> OpenSSL</p>
</li>
<li>
<p><a href="https://www.securityweek.com/companies-respond-to-downfall-intel-cpu-vulnerability/">Companies Respond to ‘Downfall’ Intel CPU Vulnerability</a> Security Week</p>
</li>
<li>
<p><a href="https://www.phoronix.com/review/intel-downfall-benchmarks">Initial Benchmarks Of The Intel Downfall Mitigation Performance Impact</a> Phoronix</p>
</li>
<li>
<p><a href="https://www.phoronix.com/news/GCC-Workaround-Intel-Downfall">GCC Compiler Adds Software Workaround To Avoid Intel Downfall Performance Hit</a> Phoronix</p>
</li>
<li>
<p><a href="https://topclassactions.com/lawsuit-settlements/investigations/intel-downfall-vulnerability-impacts-security-of-billions-of-cpus/">Intel Downfall vulnerability impacts security of billions of CPUs</a> Top Class Actions</p>
</li>
</ul>
<!-- raw HTML omitted -->


  </main>
  <footer><hr>
Copyright @  Daniel Moghimi 2023   


</footer>

  <link rel="stylesheet" href="/css/custom.css" /></body>

</html>