"The researchers discovered weaknesses in domain isolation in virtualized environments, proving that host-guest boundaries are not sufficiently isolated, thus leading to sensitive information leaks on various microarchitectures. Their proof-of-concept (PoC) exploit, called VMScape (PDF), is a Spectre branch target injection (Spectre-BTI) attack targeting cloud environments, and can be used against all AMD Zen CPUs, as well as older Intel CPUs."
"To demonstrate the vBTI primitives, the academics devised VMScape, which they describe as "the first Spectre-based end-to-end exploit in which a malicious guest user can leak arbitrary, sensitive information from the hypervisor in the host domain, without requiring any code modifications and in default configuration." The attack targets Kernel Virtual Machine (KVM)/QEMU as the hypervisor, focusing on QEMU as the hypervisor's user-space component on the host."
A new attack breaks virtualization isolation to leak arbitrary memory and expose cryptographic keys. The attack exploits Spectre branch target injection (Spectre-BTI) and targets the CPU's shared branch predictor state to cross host-guest boundaries. CPU mitigations for speculative execution have been extended to branch predictor state, but gaps in those mitigations enable virtualization-based Spectre-BTI (vBTI) primitives. A proof-of-concept called VMScape demonstrates an end-to-end exploit that allows a malicious guest to leak hypervisor memory without code modifications and under default configuration. VMScape targets KVM/QEMU, affects AMD Zen families and older Intel CPUs, and achieved 32 B/s on AMD Zen 4.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]