Researchers have revealed a new attack technique called VMScape that can break the security barriers between virtual machines and the systems that host them. This discovery is substantial because virtualization forms the backbone of today’s cloud computing environment, where multiple customers often share the same physical hardware.
How the attack works
Modern processors use a performance trick known as speculative execution, where the CPU guesses the next steps of a program before it is certain. While this speeds up computing, past incidents like the Spectre vulnerability have shown that attackers can manipulate this feature to gain access to protected information.
VMScape builds on this concept. Instead of targeting an individual application, it allows a malicious virtual machine to influence how the host hypervisor, the software that manages multiple virtual machines, makes predictions during execution. By carefully crafting these interactions, attackers can cause the hypervisor to briefly access secret data, such as encryption keys, which then leaves behind subtle traces in the processor’s memory cache. The attacker can measure these traces and piece together the stolen information.
The researchers focused on QEMU, a widely used hypervisor component. By training the processor’s branch prediction structures, a malicious VM can trick QEMU into speculatively executing instructions that leak information. To make the attack more reliable, the team developed methods to clear out cache entries and bypass protections like Address Space Layout Randomization (ASLR).
In practice, they managed to extract information at about 32 bytes per second with near-perfect accuracy. This means that a 4KB encryption key could be stolen in just over two minutes, while the full attack process, including defeating ASLR, took around 13 minutes.
Which systems are impacted
According to the findings, VMScape affects a wide range of AMD processors from the first Zen generation up to Zen 5, as well as Intel’s Coffee Lake CPUs. The latest Intel architectures, such as Raptor Cove and Gracemont, are not vulnerable. Importantly, the attack does not require altering the host system or disabling existing mitigations, making it more concerning for shared environments like public cloud platforms.
The implications for cloud security are clear: if one customer’s virtual machine can read sensitive data from another, it undermines trust in multi-tenant platforms. However, it is important to note that this attack is complex, requires expert-level skills, and demands uninterrupted time to execute. Ordinary users are unlikely to be directly affected.
Next steps
The discovery highlights the ongoing challenge of securing speculative execution in modern CPUs. While vendors are expected to release updates and mitigations, system administrators and cloud providers will need to stay alert and apply patches as they become available. For most users, the best course of action is to ensure their providers are following these security updates.
