Data Sampling on MDS-resistant 10th Generation Intel Core (Ice Lake)
This work addresses a critical security vulnerability for users of Intel CPUs, revealing that even newer architectures like Ice Lake are susceptible to data leakage attacks, which is incremental as it builds on known MDS vulnerabilities.
The authors demonstrated a new variant of the Fallout MDS attack that works on 10th Generation Intel Core (Ice Lake) CPUs, which were previously believed to be immune, using the Transynther tool to automatically synthesize it and showing that only microcode versions after January 2020 prevent exploitation.
Microarchitectural Data Sampling (MDS) is a set of hardware vulnerabilities in Intel CPUs that allows an attacker to leak bytes of data from memory loads and stores across various security boundaries. On affected CPUs, some of these vulnerabilities were patched via microcode updates. Additionally, Intel announced that the newest microarchitectures, namely Cascade Lake and Ice Lake, were not affected by MDS. While Cascade Lake turned out to be vulnerable to the ZombieLoad v2 MDS attack (also known as TAA), Ice Lake was not affected by this attack. In this technical report, we show a variant of MSBDS (CVE2018-12126), an MDS attack, also known as Fallout, that works on Ice Lake CPUs. This variant was automatically synthesized using Transynther, a tool to find new variants of Meltdown-type attacks. Based on the findings of Transynther, we analyze different microcodes regarding this issue, showing that only microcode versions after January 2020 prevent exploitation of the vulnerability. These results show that Transynther is a valuable tool to find new variants, and also to test for regressions possibly introduced with microcode updates.