Rain
The Rain research project shows how a malicious virtual machine can abuse transient execution vulnerabilities to leak data from the host, as well as from other virtual machines. This repository contains the research artifact: the L1TF Reloaded exploit and instructions on how to reproduce our results.
For details, we refer you to:
The Exploit: "L1TF Reloaded"
Our end-to-end exploit, called "L1TF Reloaded", abuses two long-known transient execution vulnerabilities: L1TF and (Half-)Spectre. By combining them, commonly deployed software-based mitigations against L1TF, such as L1d flushing and core scheduling, can be circumvented.
We have launched our exploit against the production clouds of both AWS and Google. Below is a (fast-forwarded) recording of our exploit running within a VM on GCE. The exploit, at runtime, finds another VM on the same physical host, detects that it is running an Nginx webserver, and leaks its private TLS key.
Repository Contents
This repository is structured as follows:
deps : exploit dependencies
: exploit dependencies include : exploit headers files
... continue reading