

# ZOMBIELOAD ATTACK

MICHAEL SCHWARZ  
MORITZ LIPP





**Michael Schwarz**

Faculty @ CISPA Helmholtz Center for Information Security

 @misc0110

 michael.schwarz@cispa.saarland



**Moritz Lipp**

PhD Candidate @ Graz University of Technology

 @mlqxyz

 moritz.lipp@iaik.tugraz.at



Frontend

Execution Engine

Memory Subsystem

Frontend

Fetch

Execution Engine

Memory Subsystem

Frontend

Fetch + Decode

Execution Engine

Memory Subsystem





Memory Subsystem

Write Back

Frontend

Execution Engine

Memory Subsystem







# Microarchitecture



# Microarchitecture



# Microarchitecture





# Microarchitecture



# Microarchitecture



# Microarchitecture



# Caching Speeds Up Memory Accesses



# Caching Speeds Up Memory Accesses



# How Do Caches Actually Work?



# How Do Caches Actually Work?



# How Do Caches Actually Work?



# How Do Caches Actually Work?





## User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = kernel[0]
```



## User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = kernel[0]
```



Page fault (Exception)



## User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = kernel[0]  
          ↓  
mem[value]  
          K  
          ⚡ Page fault (Exception)  
          Out of order
```



## User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = kernel[0]
```

mem[value]

K

Page fault (Exception)

Out of order



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture



# Meltdown in the Microarchitecture





Meltdown

Leakage Rate

552.4 kB/s



Meltdown

Leakage Rate

552.4 kB/s



Meltdown

Error Rate

0.003 %







Leak (Meltdown)





X X X





Leak (Meltdown)





Leak (Meltdown)



Diagram showing six small white boxes, each containing a black 'X', representing memory blocks or cache lines.



Leak (Meltdown)





Leak (Meltdown)



The diagram shows a row of eight memory cells, each containing an 'X'. The eighth cell from the left contains a 'P', representing a page table entry.





Leak (Meltdown)



A horizontal row of ten memory cells, each containing an "X". The fourth cell from the left is highlighted in yellow. This highlights a specific memory location that is being accessed or modified.



Leak (Meltdown)



A horizontal row of twelve memory cells, each containing an 'X'. The fourth cell from the left is highlighted with a yellow background and a black border. This highlights a specific byte or cell that is being accessed or modified.



Leak (Meltdown)









Leak (Meltdown)





L1 Cacheline



Kernel Memory



Leak (Meltdown)





How to get rid of the noise?



There is no noise.

Noise is just  
someone else's data

# Analyse the Noise



Lemma 1: Noise is someone else's data

$$\lim_{\substack{\longrightarrow \\ \text{shield} \rightarrow \emptyset}} = \text{shield}$$

Lemma 1: Noise is someone else's data



## Deep Dive: Intel Analysis of Microarchitectural Data Sampling

Fill buffers may retain stale data from prior memory requests until a new memory request overwrites the fill buffer.

## Deep Dive: Intel Analysis of Microarchitectural Data Sampling

Fill buffers may retain stale data from prior memory requests until a new memory request overwrites the fill buffer. Under certain conditions, the fill buffer may speculatively forward data, including stale data,

## Deep Dive: Intel Analysis of Microarchitectural Data Sampling

Fill buffers may retain stale data from prior memory requests until a new memory request overwrites the fill buffer. Under certain conditions, the fill buffer may speculatively forward data, including stale data, to a load operation that will cause a fault/assist.













# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



# Complex Load Situations



User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = faulting[0]
```



User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = faulting[0]
```



## User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = faulting[0]
```



```
mem[value]
```



Out of order



## User Memory

|   |   |   |
|---|---|---|
|   | A | B |
| C | D | E |
| F | G | H |
| I | J | K |
| L | M | N |
| O | P | Q |
| R | S | T |
| U | V | W |
| X | Y | Z |

```
char value = faulting[0]
```

mem[value]

K

Fault

Out of order



# ZombieLoad Variant 1



# ZombieLoad Variant 1



# ZombieLoad Variant 1



# ZombieLoad Variant 3



# ZombieLoad Variant 3



# ZombieLoad Variant 3















- Microcode assist handles **rare cases**



- Microcode assist handles **rare cases**  
→ Microarchitectural fault



- Microcode assist handles **rare cases**  
→ Microarchitectural fault
- Setting **accessed/dirty bit** in page table



- Microcode assist handles **rare cases**
  - Microarchitectural fault
  - Setting **accessed/dirty bit** in page table
  - Regularly reset on Windows

- Leak data on **same** and **sibling** hyperthread



- Leak data on **same** and **sibling** hyperthread



Applications

- Leak data on **same** and **sibling** hyperthread



Applications



Operating System

- Leak data on **same** and **sibling** hyperthread



Applications



Operating System



SGX Enclave

- Leak data on **same** and **sibling** hyperthread



Applications



Operating System



SGX Enclave



Virtual Machine

- Leak data on **same** and **sibling** hyperthread



Applications



Operating System



SGX Enclave



Virtual Machine



Hypervisor

|          | Page Number | Page Offset |
|----------|-------------|-------------|
| Meltdown | 51          | 12          |
|          | 47          | 11 0        |

|            | Page Number | Page Offset                     |
|------------|-------------|---------------------------------|
| Meltdown   | 51<br>47    | Physical 12   Virtual 12   11 0 |
| Foreshadow | 51<br>47    | Physical 12   Virtual 12   11 0 |

|            | Page Number | Page Offset         |
|------------|-------------|---------------------|
| Meltdown   | 51<br>47    | Physical<br>Virtual |
| Foreshadow | 51<br>47    | Physical<br>Virtual |
| Fallout    | 51<br>47    | Physical<br>Virtual |

|                     | Page Number                     | Page Offset       |
|---------------------|---------------------------------|-------------------|
| Meltdown            | 51<br>Physical<br>47<br>Virtual | 12 11<br>12 0     |
| Foreshadow          | 51<br>Physical<br>47<br>Virtual | 12 11<br>12 0     |
| Fallout             | 51<br>Physical<br>47<br>Virtual | 12 11<br>12 0     |
| ZombieLoad/<br>RIDL | 51<br>Physical<br>47<br>Virtual | 12 11<br>12 6 5 0 |

# IMPOSSIBLE



# IMPOSSIBLE



$\text{key}_n$  (0xD2)

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 1 | 1 | 0 | 1 | 0 | 0 | 1 | 0 |
|---|---|---|---|---|---|---|---|









Variant 1

Kernel Mapping



● works

○ does not work

● can be prevented



Variant 3

Microcode-Assisted Page-Table Walk





Variant 1  
Kernel Mapping

5.30 kB/s



Variant 1  
Kernel Mapping

5.30 kB/s



Variant 3  
Microcode-Assisted  
Page-Table Walk

7.73 kB/s



- Disable hyperthreading or group scheduling



- Disable hyperthreading or group scheduling
- Overwrite microarchitectural buffers



- Disable hyperthreading or group scheduling
- Overwrite microarchitectural buffers
  - VERW instruction (microcode update)



- Disable hyperthreading or group scheduling
- Overwrite microarchitectural buffers
  - VERW instruction (microcode update)
  - Software sequences



- Disable hyperthreading or group scheduling
- Overwrite microarchitectural buffers
  - VERW instruction (microcode update)
  - Software sequences
- New CPUs which are not affected

| CPU                                 | Meltdown | Foreshadow | RIDL | Fallout | MLPDS | MDSUM |
|-------------------------------------|----------|------------|------|---------|-------|-------|
| 8th/9th gen. Intel Core Coffee Lake | ✗        | ✗          | ✗    | ✗       | ✗     | ✗     |
| Intel Xeon Cascade Lake             | ✗        | ✗          | ✗    | ✗       | ✗     | ✗     |

<https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html>



- Disable hyperthreading or group scheduling
- Overwrite microarchitectural buffers
  - VERW instruction (microcode update)
  - Software sequences
- New CPUs which are not affected

| CPU                                 | Meltdown | Foreshadow | RIDL | Fallout | MLPDS | MDSUM | ZombieLoad |
|-------------------------------------|----------|------------|------|---------|-------|-------|------------|
| 8th/9th gen. Intel Core Coffee Lake | ✗        | ✗          | ✗    | ✗       | ✗     | ✗     | ???        |
| Intel Xeon Cascade Lake             | ✗        | ✗          | ✗    | ✗       | ✗     | ✗     | ???        |

<https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html>



A cartoon illustration of a green zombie head with a red mouth, emerging from a grey rocky base. The zombie is holding a brown wooden sign above its head. The sign has white, hand-drawn-style text that reads "RISE AGAIN". At the top of the sign, there are four small, green, zombie-like hands with缝合的指 joints reaching out.

RISE AGAIN



What about second variant?





## ZombieLoad Variant 2



# ZombieLoad Variant 2





```
// Variant 2

flush(mapping);

if (xbegin() == _XBEGIN_STARTED) {
    maccess(lut + 4096 * mapping[0]);
    xend();
}
```



- Data Conflicts



- Data Conflicts
- Limited Transactional Resources



- **Data Conflicts**
- **Limited Transactional Resources**
- **Certain Instructions**
  - IO instructions, syscall, ...



- **Data Conflicts**
- **Limited Transactional Resources**
- **Certain Instructions**
  - IO instructions, syscall, ...
- **Synchronous Exception Events**
  - #BR, #PF, #DB, #BP/INT3, ...



#### 12.2.4.5 Miscellaneous Transactional Aborts

Asynchronous events (NMI, SMI, INTR, IPI, PMI, etc.) occurring during transactional execution may cause the transactional execution to abort and transition to a non-transactional execution.



#### 12.2.4.5 Miscellaneous Transactional Aborts

Asynchronous events (NMI, SMI, INTR, IPI, PMI, etc.) occurring during transactional execution may cause the transactional execution to abort and transition to a non-transactional execution.

[...] For example, operating systems with timer ticks generate interrupts that can cause transactional aborts.















































Variant 1

Kernel Mapping



Variant 3

Microcode-Assisted  
Page-Table Walk



● works     ○ does not work     ⚡ can be prevented



Variant 1

Kernel Mapping



Variant 2

Transactional  
Asynchronous Abort



Variant 3

Microcode-Assisted  
Page-Table Walk



● works

○ does not work

● can be prevented



Variant 1  
Kernel Mapping

5.30 kB/s



Variant 3  
Microcode-Assisted  
Page-Table Walk

7.73 kB/s



Variant 1  
Kernel Mapping



Variant 2  
Transactional  
Asynchronous Abort



Variant 3  
Microcode-Assisted  
Page-Table Walk

5.30 kB/s

39.66 kB/s

7.73 kB/s



MORITZ  
LIPP MICHAEL  
SCHWARZ DANIEL  
MOGHIMI JO  
VAN BULCK

# ZOMBIELOAD



GRAZ UNIVERSITY OF TECHNOLOGY PRESENTS IN COLLABORATION WITH  
WORCESTER POLYTECHNIC INSTITUTE, KU LEUVEN, AND CYBERUS TECHNOLOGY  
AN ACM CCS 2019 PAPER "ZOMBIELOAD: CROSS-PRIVILEGE-BOUNDARY DATA SAMPLING"  
WRITTEN BY MICHAEL SCHWARZ, MORITZ LIPP, DANIEL MOGHIMI, JO VAN BULCK, JULIAN STECKLINA, THOMAS PRESCHER, DANIEL GRUSS

← Twittern



**Josh Walden** @jmw1123 · 19. Nov.

Case of beer on it's way/there later this week thanks Daniel! Thanks again for the partnership!



**Daniel Gruss** @lavados · 13. Nov.

Antwort an @Desertrold und @jmw1123

I'm in favor!

2

5

34

↑



Daniel Gruss  
@lavados

Antwort an @jmw1123

Thanks again Josh!

We already received the case a month ago but only found time this weekend to sit together and enjoy some!

We wish you a merry Christmas and look forward to continue working with Intel next year.

cc @cc0x1f @mlqxyz @misc0110 @tugraz\_csbme #tugraz

[Tweet übersetzen](#)



Du und Claudio Canella

5:45 nachm. - 24. Dez. 2019 · [Twitter Web App](#)

23 „Gefällt mir“-Angaben





- **Disable Intel TSX**



- **Disable Intel TSX**
  - Deactivated by default with new microcode updates on CPUs enumerating MDS\_NO



- **Disable Intel TSX**
  - Deactivated by default with new microcode updates on CPUs enumerating MDS\_NO
  - **VERW** to overwrite affected buffers





2019

April 12



We report ZombieLoad



2019

April 12

April 24



We report ZombieLoad

Report Variant 2



| 2019     |                            |
|----------|----------------------------|
| April 12 | We report ZombieLoad       |
| April 24 | Report Variant 2           |
| May 10   | Report TAA on Cascade Lake |



**2019**

April 12

We report ZombieLoad

April 24

Report Variant 2

May 10

Report TAA on Cascade Lake

May 11

Call with Intel + Embargo



| 2019     |                                              |
|----------|----------------------------------------------|
| April 12 | We report ZombieLoad                         |
| April 24 | Report Variant 2                             |
| May 10   | Report TAA on Cascade Lake                   |
| May 11   | Call with Intel + Embargo                    |
| May 14   | Disclosure of ZombieLoad (without Variant 2) |



| 2019     |                                              |
|----------|----------------------------------------------|
| April 12 | We report ZombieLoad                         |
| April 24 | Report Variant 2                             |
| May 10   | Report TAA on Cascade Lake                   |
| May 11   | Call with Intel + Embargo                    |
| May 14   | Disclosure of ZombieLoad (without Variant 2) |
| May 14   | MDS-resistant CPUs and Mitigations available |



| 2019     |                                                   |
|----------|---------------------------------------------------|
| April 12 | - We report ZombieLoad                            |
| April 24 | - Report Variant 2                                |
| May 10   | - Report TAA on Cascade Lake                      |
| May 11   | - Call with Intel + Embargo                       |
| May 14   | - Disclosure of ZombieLoad (without Variant 2)    |
| May 14   | - MDS-resistant CPUs and Mitigations available    |
| May 16   | - Report VERW/Software-Sequences are insufficient |



| 2019     |                                                 |
|----------|-------------------------------------------------|
| April 12 | We report ZombieLoad                            |
| April 24 | Report Variant 2                                |
| May 10   | Report TAA on Cascade Lake                      |
| May 11   | Call with Intel + Embargo                       |
| May 14   | Disclosure of ZombieLoad (without Variant 2)    |
| May 14   | MDS-resistant CPUs and Mitigations available    |
| May 16   | Report VERW/Software-Sequences are insufficient |
| Nov 14   | Public Disclosure of Variant 2                  |



## 2019

- April 12 We report ZombieLoad
  - April 24 Report Variant 2
  - May 10 Report TAA on Cascade Lake
  - May 11 Call with Intel + Embargo
  - May 14 Disclosure of ZombieLoad (without Variant 2)
  - May 14 MDS-resistant CPUs and Mitigations available
  - May 16 Report VERW/Software-Sequences are insufficient
  - Nov 14 Public Disclosure of Variant 2
- 2020
- January 27 Public Disclosure of L1DES



- Software-sequences and VERW do **not work reliably**



- Software-sequences and VERW do **not work reliably**
  - Cases where leakage is still visible

L1D

Fill Buffer

L2D

# L1 Data Eviction Sampling (L1DES)



# L1 Data Eviction Sampling (L1DES)











# L1 Data Eviction Sampling (L1DES)











# Transient Execution Attack Tree



Transient cause

# Transient Execution Attack Tree



# Transient Execution Attack Tree



# Transient Execution Attack Tree





<https://transient.fail>

Address









You can find our **proof-of-concept** implementation on:

- <https://github.com/IAIK/ZombieLoad>

{...}

- Transient-execution attacks: the gift that keeps on giving

{...}

- Transient-execution attacks: the gift that keeps on giving
- Class of Meltdown attacks is larger than expected

{...}

- Transient-execution attacks: the gift that keeps on giving
- Class of Meltdown attacks is larger than expected
- CPUs are deterministic - there is no noise

# ZombieLoad: Leaking Data on Intel CPUs

⌚ <https://github.com/IAIK/ZombieLoad>

**Michael Schwarz (@misc0110), Moritz Lipp (@mlqxyz)**

October 2, 2020

- Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. “ZombieLoad: Cross-Privilege-Boundary Data Sampling”. In: *CCS*. 2019
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. “Meltdown: Reading Kernel Memory from User Space”. In: *USENIX Security Symposium*. 2018