GitHub – ThijsRay/l1tf_reloaded
The Rain research project shows how a malicious virtual machine can abuse
transient execution vulnerabilities to leak data from the host, as well as from
other virtual machines. This repository contains the research artifact: the
L1TF Reloaded exploit and instructions on how to reproduce our results.
For details, we refer you to:
Our end-to-end exploit, called “L1TF Reloaded”, abuses two long-known transient
execution vulnerabilities: L1TF
and (Half-)Spectre. By combining them,
commonly deployed software-based mitigations against L1TF, such as
L1d flushing
and core scheduling,
can be circumvented.
We have launched our exploit against the production clouds of both AWS and
Google. Below is a (fast-forwarded) recording of our exploit running within a VM
on GCE. The exploit, at runtime, finds another VM on the same physical host,
detects that it is running an Nginx webserver, and leaks its private TLS key.
This repository is structured as follows:
deps: exploit dependenciesinclude: exploit headers filesscripts: utility scriptssetup: reproduction resourcessrc: exploit source code
We provide detailed reproduction instructions for:
The specific gadgets that we leverage have been patched in KVM.
On Intel CPUs that are affected by L1TF, only stable kernel releases before
5.4.298, 5.10.242, 5.15.191, 6.1.150, 6.6.104, 6.12.45 or 6.16.5 are vulnerable
to this specific attack. The underlying issue is still there, but a different
half-Spectre gadget is necessary to exploit L1TF Reloaded on up-to-date
production systems. As discussed in our paper, we recommend deploying additional
blanket mitigations against L1TF Reloaded’s attack strategy, as well as other
microarchitectural attacks in general.