<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=395376054629540&amp;ev=PageView&amp;noscript=1">

Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction



Speculative-execution based attacks and side-channels are more and more common as disclosures continue to increase scrutiny by researchers in this field.

In this whitepaper, we demonstrate a new type of side-channel attack based on speculative execution of instructions inside the OS kernel. This attack is capable of circumventing all existing protective measures, such as CPU microcode patches or kernel address space isolation (KVA shadowing/KPTI).

We practically demonstrate this by showing how the speculative execution of the SWAPGS instruction may allow an attacker to leak portions of the kernel memory, by employing a variant of Spectre V1.



📧 Please fill out the information requested and we will email you this whitepaper in a few minutes.