Line 1: | Line 1: | ||
{{cve title|CVE-2017-5754 (Meltdown, Variant 3)}} | {{cve title|CVE-2017-5754 (Meltdown, Variant 3)}} | ||
− | '''CVE-2017-5754''' ('''Meltdown''', '''Variant 3''', '''Rogue Data Cache Load''') is a [[microprocessor]] vulnerability that allows an attacker to overcome all memory isolation mechanisms offered by the microprocessor by causing it to [[speculatively execute]] code that loads inaccessible information which end up changing the cache state of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. | + | '''CVE-2017-5754''' ('''Meltdown''', '''Variant 3''', '''Rogue Data Cache Load''') is a [[microprocessor]] vulnerability that allows an attacker to overcome all memory isolation mechanisms offered by the microprocessor by causing it to [[speculatively execute]] code [[out-of-order]] that loads inaccessible information which end up changing the cache state of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. |
+ | |||
+ | == Overview == | ||
+ | ''Rogue Data Cache Load'' leverages the [[speculative execution]] [[out-of-order]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. Specifically, Meltdown breaks the basic memory isolation assumptions that's used by the operating system to manage the virtual memory of each process. | ||
+ | |||
+ | Consider the following code. | ||
+ | |||
+ | <source lang=C> | ||
+ | char val = *(char *)0xAAAAA; | ||
+ | </source> | ||
+ | |||
+ | When executed, this line will likely cause a [[segmentation fault]] due an access restriction violation. Meltdown demonstrated that while the fault is being handled by the operating system (in an elevated supervisor mode), the microprocessor can continue to execute subsequent code [[out-of-order]] under [[speculative execution|the assumption]] that this is the right path. More-so, Meltdown demonstrated that this code can be executed as supervisor, thereby reading potentially memory it should not have access to. A carefully crafted piece of code by an attacker can be used in a way similar to {{cve|cve-2017-5753|Spectre Variant 1}} to leak any kernel space memory. | ||
[[category:cve]] | [[category:cve]] |
Revision as of 14:54, 26 January 2018
CVE-2017-5754 (Meltdown, Variant 3, Rogue Data Cache Load) is a microprocessor vulnerability that allows an attacker to overcome all memory isolation mechanisms offered by the microprocessor by causing it to speculatively execute code out-of-order that loads inaccessible information which end up changing the cache state of the microarchitecture, thereby leaking information through side-channel timing analysis.
Overview
Rogue Data Cache Load leverages the speculative execution out-of-order behavior of the microprocessor in order to cause some code to expose more information than intended. Specifically, Meltdown breaks the basic memory isolation assumptions that's used by the operating system to manage the virtual memory of each process.
Consider the following code.
char val = *(char *)0xAAAAA;
When executed, this line will likely cause a segmentation fault due an access restriction violation. Meltdown demonstrated that while the fault is being handled by the operating system (in an elevated supervisor mode), the microprocessor can continue to execute subsequent code out-of-order under the assumption that this is the right path. More-so, Meltdown demonstrated that this code can be executed as supervisor, thereby reading potentially memory it should not have access to. A carefully crafted piece of code by an attacker can be used in a way similar to Spectre Variant 1 to leak any kernel space memory.