A Practical Introduction to Transient Execution Attacks
Dr. Michael Schwarz
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
In 2018, a new field of microarchitectural emerged with the publication of Meltdown and Spectre: Transient execution attacks. While traditional microarchitectural side-channel attacks leak metadata, such as memory access patterns, transient execution attacks leak actual data. Transient execution attacks exploit the microarchitectural side effects of instructions that are executed but never retire, i.e., they do not have an architectural effect. Such transient executions are a result of control- and data-flow mispredictions, as well as out-of-order execution after exceptions.
In this tutorial, we start with the basics of measuring cache effects, an essential building block of transient execution attacks. We start with a simple Flush+Reload covert channel used as the encoding part in all further attacks. Using this encoding, we implement a simple Spectre attack and the original Meltdown attack. From that, we gradually adapt the Meltdown attack, resulting in the ZombieLoad attack. Finally, we invert the Meltdown attack to inject data instead of leaking data, demonstrating Load Value Injection.
is Faculty at the CISPA Helmholtz Center for Information Security in Saarbruecken, Germany, with a focus on microarchitectural side-channel attacks and system security. He obtained his PhD with the title "Software-based Side-Channel Attacks and Defenses in Restricted Environments" in 2019 from Graz University of Technology. He holds two master's degrees, one in computer science and one in software engineering with a strong focus on security. He was part of one of the research teams that found the Meltdown, Spectre, Fallout, LVI, and PLATYPUS vulnerabilities, as well as the ZombieLoad vulnerability. He was also part of the KAISER patch, the basis for Meltdown countermeasures now deployed in every modern operating system under names such as KPTI or KVA Shadow. In the last 5 years, Michael co-authored more than 40 publications, with 19 of them published at tier-1 conferences.