Recent transient-execution attacks, such as RIDL, Fallout, and ZombieLoad, demonstrated that attackers can leak information while it transits through microarchitectural buffers. Named Microarchitectural Data Sampling (MDS) by Intel, these attacks are likened to "drinking from the firehose", attacker has little control over what data is observed origin. Unable prevent buffers leaking, Intel issued countermeasures via microcode updates overwrite when CPU changes security domains. In this work we present CacheOut, a new attack capable of bypassing Intel's buffer countermeasures. We observe being evicted CPU's L1 cache, often transferred back leaky where be recovered attacker. CacheOut improves previous MDS allowing choose which well part cache line leak. demonstrate across multiple boundaries, including those between processes, virtual machines, user kernel space, SGX enclaves.

Load

Load