CAPEC-696: Load Value Injection
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.
Last updated
Overview
This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Survey target application and relevant OS shared code libraries] Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.
- Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
- Step 2Experiment
[Fill microarchitectural buffer with controlled value] The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.
- The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
- The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system
- Step 3Experiment
[Set up instruction to page fault or microcode assist] The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.
- When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
- When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
- An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
- When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit
- Step 4Exploit
[Operate on adversary-controlled data] Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.
- Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
- Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.
What the attacker needs
Prerequisites
- The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.
- The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads
- The adversary needs the ability to induce page faults or microcode assists on the target system.
- Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state.
Skills required
- High skill: Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.
- High skill: Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.
- High skill: The ability to provoke faulting or assisted loads in legitimate execution.
Consequences
What a successful CAPEC-696 attack can achieve.
Read Data
Affects: Confidentiality
Bypass Protection Mechanism
Affects: Access Control
Execute Unauthorized Commands
Affects: Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-696.
- Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.
- Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.
How to detect it
Indicators that this attack may be underway.
- File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution
Frequently asked questions
Common questions about CAPEC-696.
- What is CAPEC-696?
- An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.
- How does a Load Value Injection attack work?
- It typically unfolds over 4 phases. It begins with: [Survey target application and relevant OS shared code libraries] Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.
- How do you prevent CAPEC-696?
- Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.
- What weaknesses does CAPEC-696 target?
- CAPEC-696 exploits 1 CWE weakness, including CWE-1342 (Information Exposure through Microarchitectural State after Transient Execution).
- How severe is CAPEC-696?
- MITRE rates CAPEC-696 as Very High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-696
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.