Another data-leaking Spectre bug found, smashes Intel, Arm defenses
Your processor design fell off the vulnerability tree and hit every branch on the way down
Analysis Intel this month published an advisory to address a novel Spectre v2 vulnerability in its processors that can be exploited by malware to steal data from memory that should otherwise be off limits.
Arm said a number of its processor cores are also affected by this security flaw, and like Intel, its hardware defenses can't block it outright, leaving developers to implement software-level mitigations.
The latest Spectre revival, identified by academics at VU Amsterdam, is known as Branch History Injection (BHI). Spectre is one of two closely related chip architecture blunders, details of which emerged in 2018; the other being Meltdown that The Register first highlighted.
The VU Amsterdam team – Enrico Barberis, Pietro Frigo, Marius Muench Herbert Bos, and Cristiano Giuffrida – described BHI [PDF] as a variation of Spectre v2, also known as Branch Target Injection (BTI).
What makes BHI noteworthy is that it can bypass recent silicon-level BTI mitigations implemented by Intel (eIBRS, or enhanced Indirect Branch Restricted Speculation) and Arm (CSV2, short for FEAT_CSV2, which separates predictions by context), thus allowing information to leak across privilege boundaries. In other words, a rogue user-level application can use BHI to extract keys and other secrets from OS kernel memory, which should be out of bounds, and the built-in defenses on Intel and Arm-designed CPU cores won't work.
Spectre v2/BTI is exploited by manipulating the indirect branch predictors in an affected processor to speculatively execute "gadgets" – blocks of carefully chosen code – that gradually leak memory from one part of the system into another. Initially this was addressed through software (retpoline), which slowed things down to a degree, and then hardware (eIBRS and CSV2).
However, what the VU boffins recently found was that these hardware fixes fail to address the full scope of the Spectre v2/BTI attack surface.
The eIBRS and CSV2 defenses reinforce privilege boundaries for transient operations, but they fail to isolate a global branch history buffer that can be used to influence target predictions for indirect branches across privilege boundaries.
"The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel," a VU blog post explains. "However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more 'interesting' kernel targets (i.e., gadgets) that leak data."
The VU team said AMD is not affected by BHI.
As we've noted before with the Spectre and Meltdown family, if malware really wanted to steal information from, say, the kernel it would probably use a privilege-escalation hole in the operating system to achieve this, rather than gradually extract data via the processor's inner mechanisms. That said, left unchecked, Spectre might be more widely exploited. In any case, it's an interesting consequence of modern CPU pipeline design, in which engineers one way or another prioritized performance over security.
With Spectre once again reanimated, Intel responded by issuing security advisory INTEL-SA-00598, covering Branch History Injection (CVE-2022-0001) and Intra-mode Branch Target Injection (CVE-2022-0002).
Intel's advisory is basically guidance on how to stop known and anticipated exploitation methods for BHI, a promise that future chips will tackle the flaw, and updated technical documentation for programmers:
On BHI-affected processors, Intel recommends disabling unprivileged eBPF, enabling eIBRS and enabling SMEP. This will mitigate the demonstrated BHI attack as well as other intra-mode BTI attacks using eBPF. This makes transient execution attacks more difficult in general and is the current default configuration for most Linux distributions.
In addition to the demonstrated attacks using eBPF, the possibility exists that there may be other BHI attacks identified in the future. Such potential BHI attacks can be mitigated by adding LFENCE to specific identified gadgets that are found to be exploitable.
Future processors are expected to mitigate BHI attacks in hardware.
The advisory lists vulnerable processors; it includes 10th and 11th-generation Core chips.
Intel's not done yet
Gelsinger's gang took the opportunity to share their own research paper that identified a weakness in AMD's original 2018 kernel-level Spectre mitigation. The paper, titled "You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection," looks at AMD's use of LFENCE/JMP x86 instructions to serialize code execution to protect against speculative-execution side-channel leaks.
The VU BHI research, according to Intel researchers, prompted Intel's partners to ask whether AMD's LFENCE/JMP software mitigation for Spectre v2 on x86 processors – passed over in favor of retpoline and eIBRS on Intel chips, and the default Linux kernel mitigation on AMD systems – might be a viable option to close the newly discovered BHI security gap on Intel silicon.
According to Intel's Alyssa Milburn, Ke Sun, and Henrique Kawakami, that would not be a good option. LFENCE/JMP "relies on an inherent race condition, and we show that the remaining window for speculative execution can still allow the transient execution of disclosure gadgets," the trio explained in their paper.
In other words, AMD's Spectre v2 protection was found by Intel to be inadequate: malware could still infer privileged data on certain AMD systems when the LFENCE/JMP protection method is in place. This is separate to the BHI issue, which doesn't affect AMD, and applies to earlier Spectre v2/BTI attacks. After being tipped off to this, AMD assigned this oversight CVE-2021-26401, and submitted patches to the Linux kernel that make retpoline the default BTI defense on AMD processors. Indeed, those patches landed in Linux 5.17-rc8 this month.
This switch in default BTI defense may result in a performance hit on AMD CPU cores, depending on the workload and circumstances.
Separately, AMD this month acknowledged security bug CVE-2021-26341 in a bunch of its Ryzen and Epyc processors, and a few other parts, as detailed here on its official website and here in depth by Pawel Wieczorkiewicz of Grsecurity.
According to AMD, some of its processors "may transiently execute beyond unconditional direct branches, which may potentially result in data leakage." In order words, another Spectre-like side-channel. The fix for this appears to be updated guidance for software developers, compiler makers, and kernel programmers on how to protect code from snooping.
Meanwhile, in Arm land
In a blog post this month, Arm acknowledged the BHI vulnerability is present in a number of its CPU cores, including its latest Cortex-A and Neoverse cores. Arm dubbed the security hole Spectre-BTB, referring to the processor's branch history buffer, and tagged it as CVE-2022-23960. It said its silicon-level CSV2 defense against Spectre v2 cannot stop Spectre-BTB attacks.
"While Spectre-BHB is similar to Spectre v2, the CSV2 hardware features introduced to mitigate against Spectre v2 do not work against Spectre-BHB," Arm explained in its whitepaper [PDF] on the subject.
Arm plans to add a ClearBHB instruction to the Arm architecture to clear the CPU BTB in a way that prevents data from being extracted. "In addition, future versions of the architecture will require that when taking an exception to a higher exception level, the BHB will be cleared to the extent required to mitigate Spectre-BHB," Arm said.
Until that instruction is added, CPU cores can perform a special loop when certain exceptions are raised to discard the branch buffer to avoid exploitation. ®