Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction

Presented at Black Hat Europe 2019, Dec. 5, 2019, 3:25 p.m. (50 minutes)

Speculative-execution based attacks and side-channels are more and more common as disclosures continue to increase scrutiny by researchers in this field. In this talk, we demonstrate a new type of side-channel attack based on speculative execution of the SWAPGS instruction inside the OS kernel. This attack is capable of circumventing all existing protective measures, such as CPU microcode patches or kernel address space isolation (KVA shadowing/KPTI). We practically demonstrate this by showing how the speculative execution of the SWAPGS instruction may allow an attacker to leak portions of the kernel memory, by employing a variant of Spectre V1. During the talk, we will also detail some other minor discoveries related to speculative execution, mainly how some segment registers are handled.


  • Dan Lutas - Senior Researcher, Bitdefender
    In 14+ years of experience in Information Security (all with Bitdefender), Dan Lutas tried to grasp many aspects of this complex topic – technical (operating systems internals, networking, hypervisor technologies), non-technical (auditing of information systems, security management), defensive (malware analysis, development of advanced detection and prevention technologies) and offensive (penetration testing, vulnerability analysis) – in order to have a holistic view of the domain. He obtained several InfoSec certifications (CISSP, CEH, CISA, OSCP, OSCE). Since 2016, he holds a PhD from Technical University of Cluj-Napoca (TUCN). His current role with Bitdefender involves developing dynamic exploit detection techniques which are incorporated in all Bitdefender products. He teaches Information Systems Auditing and Incident Response & Forensics courses at a Master program in TUCN. He is the author / co-author of 5 scientific papers and 5 US patents regarding low-level hypervisor security.
  • Andrei Lutas - Senior Researcher, Bitdefender
    Andrei Lutas joined Bitdefender in October 2008, as a junior virus researcher; Initial responsibilities included reverse engineering of malicious samples, adding signatures for malicious files, developing disinfection routines and developing code-similarity methods and systems. He joined the R&D team in November 2011, as an Introspection Research Lead, and started developing today's cutting edge Hypervisor Memory Introspection engine. During his work on this project, he was involved in the writing several academic papers, he spoke at several industry-leading conferences such as CERT-RO, USENIX or IDF, he demoed the HVMI solution at events such as Citrix Synergy or VMworld, and he worked at more than 10 patent applications. Currently, Andrei is a PhD student and an associated teacher at the Technical University of Cluj-Napoca, and he leads the team responsible for the developing of the HVI solution, which grew from 3 people 3 years to ago to almost 20 today. His main interests are everything low-level related, such as reverse-engineering, hypervisor and hardware based security, and security-oriented ISA extensions.


Similar Presentations: