Snoop-Assisted L1 Data Sampling

ID 758367
Updated 3/10/2020
Version Latest
Public

author-image

By

This technical documentation expands on the information in the Snoop-assisted L1D Sampling disclosure overview for software developers. Note that this documentation will use more precise (but different) terminology for transient execution side channel methods than we have used in past documents. Be sure to review the updated terminology guide and the list of affected processors. 

A domain-bypass transient execution attack1 variant known as snoop2-assisted L1 data sampling has been assigned CVE-2020-0550 with a CVSS of 5.6 Medium (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N). Under a specific set of complex conditions involving a cache-coherence snoop to a modified cache line3, a malicious adversary may be able to infer the data values of some modified cache lines in the L1 data (L1D) cache using snoop-assisted L1 data sampling.

On certain processors and under certain conditions, data in a modified cache line that is being returned in response to a snoop may also be forwarded to a faulting, microarchitectural assist, or Intel® Transactional Synchronization Extensions (Intel® TSX) asynchronous aborting load operation to a different address that occurs simultaneously. This may potentially allow a malicious adversary to construct a covert channel to infer modified data in the L1D cache that the victim intends to protect from the malicious adversary. This domain-bypass transient execution attack is called snoop-assisted L1D sampling.

Note that this is different from L1D Eviction Sampling (CVE-2020-0449). In that issue, the eviction data may be inferrable even without a snoop. Snoop-assisted L1D sampling requires the snoop to hit a modified cache line in the exact same single core clock cycle window as the faulting/assisting/aborting load.

Locally executed malicious software may be able to infer the values of data in a cache line that was modified on the same physical core by:

  • Other applications
  • Operating System (OS)
  • System Management Mode (SMM)
  • Virtual Machine Monitor (VMM)

In all of these scenarios, a local adversary is restricted to seeing only cache lines that were non-speculatively modified by entities with legitimate access to that data.

Example of Snoop-Assisted L1D Sampling Steps

  1. A victim process executing on physical core A modifies a cache line containing secret data (for example, by storing secret data to the cache line).
  2. A malicious adversary is also able to execute on physical core A containing the modified sensitive cache line.
  3. A victim process on physical core B reads the modified cache line containing secret data, causing a snoop to that modified cache line.
    • During the same clock cycle that the snoop reaches physical core A, the adversary on physical core A simultaneously causes a faulting, microarchitectural assist, or Intel® TSX asynchronous aborting load. This load may transiently receive the victim’s data from the snoop response.
  4. The adversary executes transient dependent operations that use the results of the faulting load to create a covert channel that may enable the adversary to infer the secret data.

Note that after the snoop in step 3, regardless of whether or not the faulting load in step 3a successfully receives some snoop response data, the cache line is no longer in the modified state. The line would need to be non-speculatively modified again before another probe could be attempted. Also, accesses which do not complete due to faults (for example, page faults) or EPT violations do not initiate snoops.

Other scenarios may be possible. Examples include:

  • Step 3 could use a store to the modified cache line instead of a read, including to non-secret data that is within the same cache line as the secret.
  • Step 3 could use a non-temporal store, which may cause the snoop even when the victim process executes on the same physical core.This may include cases where the non-temporal store is used to overwrite the secret data.

Mitigation

As the processors affected by snoop-assisted L1D sampling are a subset of those affected by L1 Terminal Fault (L1TF), software may have already applied L1TF mitigations on systems affected by snoop-assisted L1D sampling.

Similar to the L1TF VMM mitigations4, snoop-assisted L1D sampling can be mitigated by flushing the L1D cache between when secrets are accessed and when possibly malicious software runs on the same core. See L1 Terminal Fault for more details on this technique.

OS

For snoop-assisted L1D sampling, the only cache lines that are vulnerable are cache lines that are modified while in the L1D, not all cache lines that are accessed in the L1D. Additionally, snoop-assisted L1D sampling does not allow an adversary to directly specify which cache line to infer. Adversaries can only indirectly specify the cache line (for example, by influencing a victim to access the line). It also requires precise timing alignment between multiple operations in a more complex manner than L1TF.

Snoop-assisted L1D sampling could be mitigated by flushing the L1D cache before executing potentially malicious applications, which would require changes to the OS scheduler when hyperthreading is enabled and could impact the performance of system transitions. Because of the difficulty of this method and the performance impact caused by this mitigation, Intel does not recommend applying such mitigations to the OS. More details on the hyperthreading interaction can be found in Microarchitectural Data Sampling.

Virtual Machine Manager (VMMs)

When the VMM is fully applying L1TF mitigations, the sensitive memory contents of the VMM or other virtual machines (VMs) will not be in the L1D cache when a possibly malicious VM executes. This will help prevent a malicious VM from attacking a VMM or other VMs with snoop-assisted L1D sampling.

System Management Mode (SMM)

Processors that are mitigated for L1TF for SMM will flush the L1D cache on each exit from SMM mode and thus already mitigate snoop-assisted L1D sampling.

Related Content

Affected Processors

Footnotes

  1. The terms “domain-bypass” and “transient execution attack” are described in here.
  2. See Intel Software Developer's Manual Version 071 Volume 3A Section 11.2 “Caching Terminology.”
  3. This only affects modified cache lines, which means the cache line has been written since it was inserted into the L1 data cache. On affected processors, cache lines that are in other states in the L1 data cache, like Shared, Exclusive or Invalid, do not return data to a cache-coherence snoop and thus are not affected.
  4. L1 Terminal Fault

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources