A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs.
The attack breaks the isolation between VMs and the cloud hypervisor, bypassing existing Spectre mitigations and threatening to leak sensitive data by leveraging speculative execution.
The researchers highlight that VMScape does not require compromising the host and works on unmodified virtualization software with default mitigations enabled on the hardware.
They note that a threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the hypervisor or other VMs.
VMScape was developed by a team of researchers at ETH Zurich public university in Switzerland, who discovered that it affects all AMD processors from Zen 1 to Zen 5, as well as Intel’s “Coffee Lake” CPUs. The newer, “Raptor Cove” and “Gracemont” are not impacted.
Leaking secrets from QEMU
Modern CPUs protect against speculative attacks by extending isolation to branch prediction units (BPU) between the guest and host, but the researchers discovered that this isolation is incomplete.
Host to guest separation
Source: ETH Zurich
A guest user can influence indirect branch prediction in a host user process due to shared BPU structures like the BTB (Branch Target Buffer), IBP/ITA, and BHB (Branch History Buffer).
... continue reading