Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction
Andrei Lutas, Dan Lutas at Black Hat Europe 2019
Speculative-execution based attacks and side-channels are more and more common as disclosures continue to increase scrutiny by researchers in this field. In this talk, we demonstrate a new type of side-channel attack based on speculative execution of the SWAPGS instruction inside the OS kernel. This attack is capable of circumventing all existing protective measures, such as CPU microcode patches or kernel address space isolation (KVA shadowing/KPTI).
Full Abstract & Presentation Materials: https://www.blackhat.com/eu-19/briefings/schedule/#bypassing-kpti-using-the-speculative-behavior-of-the-swapgs-instruction-18045
Full Abstract & Presentation Materials: https://www.blackhat.com/eu-19/briefings/schedule/#bypassing-kpti-using-the-speculative-behavior-of-the-swapgs-instruction-18045