RIDL stands for Rogue In-Flight Data Load. RIDL is also known to use MFBDS in addition to MLPDS to acquire data. Attackers can execute code using cloud resources, malicious websites or advertisements and can steal data by breaking any security barriers. RIDL (Rogue In-Flight Data Load) shows attackers can exploit MDS vulnerabilities to mount practical attacks and leak sensitive data in real-world settings. By analyzing the impact on the CPU pipeline, we developed a variety of practical exploits leaking in-flight data from different internal CPU buffers (such as Line-Fill Buffers and Load Ports), used by the CPU while loading or storing data from memory.
What is MFBDS?
CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers are used when an L1 data cache miss occurs. This allows the system to continue operation while the data is loaded from higher levels of cache. Sometimes a stale data in the fill buffer gets forwarded to load operations which can be captured by an attacker. Also, two threads on the same physical core share the fill buffer without any partitioning. Here, if one of the applications running on the thread is malicious, it can be used to access the data through fill buffers.
RIDL can be used to leak data from the vulnerable CPU’s various internal buffers (portions of allocated memory used to store or load data). The researchers’ proofs of concept demonstrated how RIDL can be used in a Linux environment to leak root passwords, kernel data, and a string of information from another process.
The researchers noted that RIDL can let hackers steal data from other programs running on the same system. This could range from other applications/software, the operating system’s kernel, cloud-based or virtual machines, and even Intel processor’s enclaves. RIDL reportedly affects devices fitted with Intel chips from as early as 2008.
RIDL and Fallout are similar to the Spectre vulnerability from 2018, that is they take advantage of how a processor manages tasks by speculating what calculation the os will need next and discarding the wrong one. Think about when you used to play Choose-Your-Own-Adventure books and you would cheat by looking at the outcome of your choices then picking the page that looked best and forgetting the others. That is how Intel processors can be one step ahead, the downside is attacks like Spectre and now RIDL and Fallout can be successful.
INTRODUCTION OF RIDL (Rogue In-Flight Data Load):
CPU’s have various security domains such as line-fill buffers, load ports, and multiple buffers, RIDL allows malicious code to leak information across those security domains. You can then use this attack to read information from other applications, over a trusted execution environment and most worryingly you can read information from other virtual machines. It will be interesting to see how cloud providers such as AWS, Azure, etc deal with this type of attack.
What is the RIDL attack?
Researchers from VUSec – the Systems and Network Security Group at Vrije University in Amsterdam, and from the Helmholtz Center for Information Security (CISPA) have developed the RIDL (short for Rogue In-Flight Data Load) attack.
Here’s how in-flight buffers work and how sensitive data can flow to the attacker’s process:
After rummaging through CPU patent specifications, VUSec found that leaks from CPU buffers were possible. The researchers say that only Intel CPU’s.
Mitigating For RIDL
- As Intel could release a microcode update that mitigated SSB by completely disabling speculative store forwarding, we believe it should make similar mitigation possible for all possible sources of speculation when applying micro-optimizations. It will then be up to system software to decide which optimizations to turn off until hardware mitigations become available.
- Finding all instances of RIDL will likely take a long time due to the complexity of these micro-optimizations. Hence, rather than spot mitigations that are often ineffective against the next discovered attack, we need to start the development and deployment of more fundamental mitigations against the many possible classes of speculative execution attacks.