profile

Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible. I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques. You can read the paper I wrote about this for more detail. Please cite as follows:

@inproceedings{moghimi2023downfall,
  title={{Downfall}: Exploiting Speculative Data Gathering},
  author={Moghimi, Daniel},
  booktitle={32th USENIX Security Symposium (USENIX Security 2023)},
  year={2023}
}

By Daniel Moghimi


Demo

Stealing 128-bit and 256-bit AES keys from another user

Stealing arbitrary data from the Linux Kernel

Spying on printable characters


FAQ

[Q] Am I affected by this vulnerability?

[A] Most likely, yes. This depends on whether your computing devices (laptop, tablet, desktop, cloud, etc.) use the affected Intel processors. Even if you do not own any physical Intel-based devices, Intel’s server market share is more than 70%, so most likely, everyone on the internet is affected.

[Q] Which computing devices are affected?

[A] Computing devices based on Intel Core processors from the 6th Skylake to (including) the 11th Tiger Lake generation are affected. A more comprehensive list of affected processors will be available here.

[Q] What can a hacker do with this?

[A] A hacker can target high-value credentials such as passwords and encryption keys. Recovering such credentials can lead to other attacks that violate the availability and integrity of computers in addition to confidentiality.

[Q] How practical are these attacks?

[A] GDS is highly practical. It tooks me 2 weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading.

[Q] Is Intel SGX also affected?

[A] In addition to normal isolation boundaries e.g., virtual machines, processes, user-kernel isolation, Intel SGX is also affected. Intel SGX is a hardware security feature available on Intel CPUs to protect users’ data against all form of malicious software.

[Q] What about web browsers?

[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.

[Q] How long have users been exposed to this vulnerability?

[A] At least nine years. The affected processors have been around since 2014.

[Q] Is there a way to detect Downfall attacks?

[A] It is not easy. Downfall execution looks mostly like benign applications. Theoretically, one could develop a detection system that uses hardware performance counters to detect abnormal behaviors like exessive cache misses. However, off-the-shelf Antivirus software cannot detect this attack.

[Q] Is there any mitigation for Downfall?

[A] Intel is releasing a microcode update which blocks transient results of gather instructions and prevent attacker code from observing speculative data from Gather.

[Q] What is the overhead for the mitigation?

[A] This depends on whether Gather is in the critical execution path of a program. According to Intel, some workloads may experience up to 50% overhead.

[Q] Can I disable the mitigation if my workload does not use Gather?

[A] This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather.

[Q] How long was this vulberability under embargo?

[A] Almost one year. I reported this vulnerability to Intel August 24, 2022.

[Q] Should other processor vendors and designers be concerned?

[A] Other processors have shared SRAM memory inside the core, such as hardware register files and fill buffers. Manufacturers must design shared memory units with extra care to prevent data from leaking across different security domains and invest more in security validation and testing.

[Q] How can I learn more about Downfall?

[A] In addition to the technical paper, I am presenting Downfall at the BlackHat USA on August 9th, 2023 and USENIX Security Symposium on August 11, 2023.

[Q] Can I play with Downfall?

[A] Here is the code: https://github.com/flowyroll/downfall/tree/main/POC

[Q] Why is this called Downfall?

[A] Downfall defeats fundamental security boundaries in most computers and is a successor to previous data leaking vulnerabilities in CPUs including Meltdown and Fallout (AKA MDS). In this trilogy, Downfall defeats all previous mitigations once again.

[Q] How did you create the logo?

[A] I used the DALL·E 2 AI system to create the logo.


Advisories

Vendor Link
MITRE CVE-2022-40982
Intel INTEL-SA-00828
Debian CVE-2022-40982
Citrix CTX569353
Xen Xen Security Advisory 435 v1
LWN Another round of speculative-execution vulnerabilities
AWS AWS-2023-007
Redhat CVE-2022-40982Solution
VMWare VMware Response to Gather Data Sampling (GDS)
Dell DSA-2023-180 DSN-2023-002
HP HPSBHF03859
GCP GCP-2023-024
QUBES QSB-093
Lenovo LEN-134879
Supermicro Intel Platform Update (IPU) Update 2023.3
Ubuntu CVE-2022-40982
OVHCloud KB0059180
SUSE CVE-2022-40982
Tenable CVE-2022-40982
NetApp CVE-2022-40982
F5 Networks K000135795
Cloud Linux Securing Your CloudLinux Server