The Rain Research Project shows how a malicious virtual machine can abuse transient execution vulnerabilities to leak data from the host as well as other virtual machines. This repository contains research artifacts: the L1TF Reloaded exploit and instructions for reproducing our results.
For details, we refer you to:
Our end-to-end exploit, called “L1TF Reloaded”, abuses two long-known transient execution vulnerabilities: L1TF and (half-)Spectre. By combining them, commonly deployed software-based mitigations against L1TF, such as L1d flushing and core scheduling, can be circumvented.
We have launched our campaign against the production clouds of both AWS and Google. Below is a (fast forward) recording of our exploit running within a VM on GCE. At runtime, the exploit finds another VM on the same physical host, detects that it is running an Nginx webserver, and leaks its private TLS key.
This repository is structured as follows:
deps:exploit dependenciesinclude:exploit header filesscripts:utility scriptsetup: breeding resourcessrc:exploit source code
We provide detailed reproduction instructions for:
Many of the specific gadgets we take advantage of have been patched into KVM. On Intel CPUs affected by L1TF, only stable kernel releases before 5.4.298, 5.10.242, 5.15.191, 6.1.150, 6.6.104, 6.12.45 or 6.16.5 are vulnerable to this specific attack. The underlying problem is still there, but a separate half-specter gadget is necessary to exploit L1TF Reloaded on updated production systems. As discussed in our paper, we recommend deploying additional comprehensive mitigations against L1TF Reloaded’s attack strategy as well as other microarchitectural attacks in general.
<a href