Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible. I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques. You can read the paper I wrote about this for more detail. Please cite as follows:

@inproceedings{moghimi2023downfall,
  title={{Downfall}: Exploiting Speculative Data Gathering},
  author={Moghimi, Daniel},
  booktitle={32th USENIX Security Symposium (USENIX Security 2023)},
  year={2023}
}

By Daniel Moghimi

Demo

Stealing 128-bit and 256-bit AES keys from another user

Stealing arbitrary data from the Linux Kernel

Spying on printable characters

FAQ

[Q] Am I affected by this vulnerability?

[A] Most likely, yes. This depends on whether your computing devices (laptop, tablet, desktop, cloud, etc.) use the affected Intel processors. Even if you do not own any physical Intel-based devices, Intel’s server market share is more than 70%, so most likely, everyone on the internet is affected.

[Q] Which computing devices are affected?

[A] Computing devices based on Intel Core processors from the 6th Skylake to (including) the 11th Tiger Lake generation are affected. A more comprehensive list of affected processors will be available here.

[Q] What can a hacker do with this?

[A] A hacker can target high-value credentials such as passwords and encryption keys. Recovering such credentials can lead to other attacks that violate the availability and integrity of computers in addition to confidentiality.

[Q] How practical are these attacks?

[A] GDS is highly practical. It tooks me 2 weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading.

[Q] Is Intel SGX also affected?

[A] In addition to normal isolation boundaries e.g., virtual machines, processes, user-kernel isolation, Intel SGX is also affected. Intel SGX is a hardware security feature available on Intel CPUs to protect users’ data against all form of malicious software.

[Q] What about web browsers?

[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.

[Q] How long have users been exposed to this vulnerability?

[A] At least nine years. The affected processors have been around since 2014.

[Q] Is there a way to detect Downfall attacks?

[A] It is not easy. Downfall execution looks mostly like benign applications. Theoretically, one could develop a detection system that uses hardware performance counters to detect abnormal behaviors like exessive cache misses. However, off-the-shelf Antivirus software cannot detect this attack.

[Q] Is there any mitigation for Downfall?

[A] Intel is releasing a microcode update which blocks transient results of gather instructions and prevent attacker code from observing speculative data from Gather.

[Q] What is the overhead for the mitigation?

[A] This depends on whether Gather is in the critical execution path of a program. According to Intel, some workloads may experience up to 50% overhead.

[Q] Can I disable the mitigation if my workload does not use Gather?

[A] This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather.

[Q] How long was this vulberability under embargo?

[A] Almost one year. I reported this vulnerability to Intel August 24, 2022.

[Q] Should other processor vendors and designers be concerned?

[A] Other processors have shared SRAM memory inside the core, such as hardware register files and fill buffers. Manufacturers must design shared memory units with extra care to prevent data from leaking across different security domains and invest more in security validation and testing.

[Q] How can I learn more about Downfall?

[A] In addition to the technical paper, I am presenting Downfall at the BlackHat USA on August 9th, 2023 and USENIX Security Symposium on August 11, 2023.

[Q] Can I play with Downfall?

[A] Here is the code: https://github.com/flowyroll/downfall/tree/main/POC

[Q] Why is this called Downfall?

[A] Downfall defeats fundamental security boundaries in most computers and is a successor to previous data leaking vulnerabilities in CPUs including Meltdown and Fallout (AKA MDS). In this trilogy, Downfall defeats all previous mitigations once again.

[Q] How did you create the logo?

[A] I used the DALL·E 2 AI system to create the logo.

Advisories

Links

• Gather Data Sampling Intel

• New Downfall attacks on Intel CPUs steal encryption keys, data Bleeping Computer

• Downfall & Zenbleed: Googlers helping secure the ecosystem Google Security Blog

• Google unveils Downfall attacks, vulnerability in Intel chips Tech Target

• New ‘Downfall’ Flaw Exposes Valuable Data in Generations of Intel Chips Wired

• ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk Cyberscoop

• Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications Phoronix

• Downfall attacks can gather passwords, encryption keys from Intel processors Helpnet Security

• Intel ‘Downfall’: Severe flaw in billions of CPUs leaks passwords and much more PC World

• Downfall: New Intel CPU Attack Exposing Sensitive Information Security Week

• Intel ‘Downfall’ Bug Steals Encryption Keys, Data From Years of CPUs tom’s Hardware

• Are Macs affected by that scary Intel ‘Downfall’ vulnerability? Macworld

• “Downfall” bug affects years of Intel CPUs, can leak encryption keys and more Ars Technia

• ‘Downfall’ Bug in Billions of Intel CPUs Reveals Major Design Flaw Dark Reading

• Say hello to Downfall, another data-leaking security hole in several years of Intel chips The Register

• ‘Downfall’ flaw leaves most Intel CPUs open to nearly undetectable attack SC Media

• Downfall Vulnerability Affects Millions of Intel CPUs With Strong Data Leak Impact Tech Republic

• Intel CPUs Witness Downfall In Performance After “Downfall” Vulnerability Mitigations Applied WCCF Tech

• Billions of Intel CPUs are leaking passwords and killing performance Digital Trends

• AMD and Intel CPU security bugs bring Linux patches ZD Net

• Intel ‘Downfall’ CPU vulnerability exposes sensitive data PC Gamer

• Intel’s Downfall Mitigations Drop Performance Up to 39%, Tests Show tom’s Hardware

• OpenSSL Statement on the Recent Intel/AMD Downfall/Inception Vulnerabilities OpenSSL

• Companies Respond to ‘Downfall’ Intel CPU Vulnerability Security Week

• Initial Benchmarks Of The Intel Downfall Mitigation Performance Impact Phoronix

• GCC Compiler Adds Software Workaround To Avoid Intel Downfall Performance Hit Phoronix

• Intel Downfall vulnerability impacts security of billions of CPUs Top Class Actions