For HomeFor BusinessFor Partners
Miscellaneous Whitepapers
1 min read

Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction

Bitdefender

August 06, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction

Bitdefender senior researchers Dan Horea Luțaș and Andrei Vlad Luțaș recently uncovered a new speculative-execution vulnerability and demonstrated how it can be exploited via a side-channel style attack, dubbed SWAPGS Attack. The vulnerability has been publicly reported today as CVE-2019-1125.

While side-channel attacks have been known for some time now, speculative execution-based attacks are new, and signs indicate they will linger on for some time. To date, the most famous examples are Meltdown, Spectre, L1TF, and Microarchitectural Data Sampling (MDS).
Speculative execution allows the CPU to execute instructions before knowing whether the results are required. Vulnerabilities in speculative-execution can be exploited via side-channel attacks. Successful exploitation allows an unprivileged attacker to bypass basic memory isolation enforcement provided by hardware. This allows attackers to gain access to privileged data which would normally not be accessible to unprivileged processes.

Mitigations for this class of vulnerabilities are tricky to implement. They generally fall into three categories: hardware fixes, software mitigations or microcode mitigations. All previously exposed side-channel attacks are mitigated by at least one of the three approaches.

In a technical whitepaper published today, Bitdefender researchers describe the SWAPGS Attack. The attack is a novel approach of leaking sensitive information from the kernel since it bypasses all known side-channel attack mitigation techniques. This is achieved by abusing the fact that SWAPGS instruction can be executed speculatively. An attacker can force arbitrary memory dereferences in kernel, which leaves traces within the data caches. These signals can be picked-up by the attacker to infer the value located at the given kernel address.

Existing mitigations are provided by Bitdefender through the Hypervisor Introspection (HVI). HVI is available for Citrix Hypervisor and is in technology preview for KVM hypervisor.

Download the whitepaper

tags

Miscellaneous Whitepapers

Author

Bitdefender

Bitdefender

The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”

View all posts

Right now Top posts

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
Anti-Malware Research

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 08, 2023

5 min read
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
IoT Research Whitepapers

Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series

May 02, 2023

2 min read
EyeSpy - Iranian Spyware Delivered in VPN Installers
Anti-Malware Research Whitepapers

EyeSpy - Iranian Spyware Delivered in VPN Installers

January 11, 2023

2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Anti-Malware Research Free Tools

Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor

January 05, 2023

1 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group
Anti-Malware Research

New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group
Andrei LAPUSNEANU

February 08, 2024

9 min read
Investigating Worldwide SMS Scams, and Tens of Millions of Dollars in Fraud
Anti-Malware Research

Investigating Worldwide SMS Scams, and Tens of Millions of Dollars in Fraud
Vulnerabilities identified in Bosch BCC100 Thermostat
IoT Research

Vulnerabilities identified in Bosch BCC100 Thermostat
Bitdefender

January 11, 2024

4 min read

Bookmarks

loader