The Rain research project shows how a malicious virtual machine can abuse transient execution vulnerabilities to leak data from the host, as well as from other virtual machines. This repository contains the research artifact: the L1TF Reloaded exploit and instructions on how to reproduce our results.
For details, we refer you to:
Our end-to-end exploit, called "L1TF Reloaded", abuses two long-known transient execution vulnerabilities: L1TF and (Half-)Spectre. By combining them, commonly deployed software-based mitigations against L1TF, such as L1d flushing and core scheduling, can be circumvented.
We have launched our exploit against the production clouds of both AWS and Google. Below is a (fast-forwarded) recording of our exploit running within a VM on GCE. The exploit, at runtime, finds another VM on the same physical host, detects that it is running an Nginx webserver, and leaks its private TLS key.
This repository is structured as follows:
deps: exploit dependenciesinclude: exploit headers filesscripts: utility scriptssetup: reproduction resourcessrc: exploit source code
We provide detailed reproduction instructions for:
The specific gadgets that we leverage have been patched in KVM. On Intel CPUs that are affected by L1TF, only stable kernel releases before 5.4.298, 5.10.242, 5.15.191, 6.1.150, 6.6.104, 6.12.45 or 6.16.5 are vulnerable to this specific attack. The underlying issue is still there, but a different half-Spectre gadget is necessary to exploit L1TF Reloaded on up-to-date production systems. As discussed in our paper, we recommend deploying additional blanket mitigations against L1TF Reloaded's attack strategy, as well as other microarchitectural attacks in general.