October 29, 2024Ravie LakshmananHardware Security/Vulnerabilities
More than six years after the Specter security flaw affecting modern CPU processors was revealed, new research shows modern AMD and Intel processors are still susceptible to speculative execution attacks. It turned out.
The attack, revealed by ETH Zurich researchers Johannes Wichner and Kaveh Razavi, weakens the Indirect Branch Prediction Barrier (IBPB) on x86 chips, a key mitigation against speculative execution attacks. The aim is to make it possible.
Speculative execution is a performance optimization feature that allows modern CPUs to predict program branches in advance and execute certain instructions out of order, speeding up tasks if the speculatively used values are correct. refers to.
If the prediction is wrong, the instruction, called transient, is declared invalid and discarded before the processor resumes execution with the correct value.
Although the results of the execution of a temporary instruction are not reflected in the architectural program state, a forced misprediction can load certain sensitive data into the processor cache, thereby exposing that data to a malicious user. It would be exposed to some attackers and access would otherwise be blocked. .
Intel describes IBPB as “an indirect branch control mechanism that establishes a barrier and prevents software executed before the barrier from controlling the predicted targets of indirect branches executed after the barrier on the same logical processor.” I’m doing it.
This counters Branch Target Injection (BTI), also known as Specter v2 (CVE-2017-5715), which is a cross-domain temporary execution attack (TEA) that leverages indirect branch predictors used by processors to trigger disclosure. used as a method. A speculatively executed gadget.
Disclosure Gadget refers to an attacker’s ability to access architecturally invisible secrets of a victim and steal them through covert channels.
Recent findings from ETH Zurich indicate that microcode bugs in Intel microarchitectures such as Golden Cove and Raptor Cove can be used to circumvent IBPB. This attack is said to be the first actual “end-to-end cross-process Specter leak.”
The researchers said the microcode flaw “retains branch prediction, which could potentially be used even after IBPB disables branch prediction.” “Such post-barrier speculation allows attackers to bypass the security boundaries imposed by process context and virtual machines.”
AMD’s IBPB variant discovered in the research could similarly be bypassed due to the way the Linux kernel applies IBPB, resulting in an attack codenamed Post-Barrier Inception (also known as PB Inception). , allowing an unprivileged attacker to leak privileged memory. On AMD Zen 1(+) and Zen 2 processors.
Intel has made available a microcode patch to address this issue (CVE-2023-38575, CVSS score: 5.5). AMD is tracking this vulnerability as CVE-2022-23824, according to an advisory released in November 2022.
“Intel users should ensure that their Intel microcode is up to date,” the researchers said. “AMD users should always install kernel updates.”
The disclosure comes several months after researchers at ETH Zurich detailed new RowHammer attack techniques, codenamed “ZenHammer” and “SpyHammer,” the latter of which uses RowHammer to determine DRAM temperatures with high precision. I guess.
“RowHammer is very sensitive to temperature fluctuations, even if the fluctuations are very small (e.g., ±1 °C),” the study states. “The bit error rate caused by RowHammer consistently increases (or decreases) as temperature increases, and some DRAM cells that are vulnerable to RowHammer exhibit bit errors only at certain temperatures. .”
By leveraging RowHammer and temperature correlation, an attacker could determine the usage of a computer system and potentially measure the ambient temperature. This attack could also compromise privacy by using temperature measurements to determine people’s habits in the home and when they enter and leave rooms.
“SpyHammer is a simple and effective attack that can monitor the temperature of critical systems without any modification or prior knowledge of the victim’s system,” the researchers said.
“Until definitive and fully secure RowHammer defense mechanisms are adopted, SpyHammer remains a potential threat to system security and privacy. RowHammer vulnerabilities continue to worsen as technology expands. This is a big challenge considering that
Did you find this article interesting? Follow us Twitter ○ You can read more exclusive content from us on LinkedIn.
Source link
