Spectre flaws continue to haunt Intel and AMD as researchers find fresh attack method
The indirect branch predictor barrier is less of a barrier than hoped
Six years after the Spectre transient execution processor design flaws were disclosed, efforts to patch the problem continue to fall short.
Johannes Wikner and Kaveh Razavi of Swiss university ETH Zurich on Friday published details about a cross-process Spectre attack that derandomizes Address Space Layout Randomization and leaks the hash of the root password from the Set User ID (suid) process on recent Intel processors. The researchers claim they successfully conducted such an attack.
Spectre refers to a set of attacks made possible because of the way processors conduct speculative execution - a performance optimization technique that involves making calculations in advance. The results can be used if needed, or otherwise discarded.
Branch prediction is a form of speculative execution, and modern processors use it to make guesses about the path a program will take. It's related to branch target prediction, which attempts to predict the target address of the next instruction to be executed in a given branch.
Spectre attacks try to make the branch predictor forward an incorrect prediction – such that when the processor executes the associated instructions, it accesses out-of-bounds memory that contains secrets like passwords or encryption keys. Subsequent operations on the memory area storing secrets may allow the attacker to infer those secrets by observing side-channels – such as CPU cache accesses and power fluctuations.
The indirect branch predictor barrier (IBPB) was intended as a defense against Spectre v2 (CVE-2017-5715) attacks on x86 Intel and AMD chips. IBPB is designed to prevent forwarding of previously learned indirect branch target predictions for speculative execution.
Evidently, the barrier wasn't implemented properly.
"We found a microcode bug in the recent Intel microarchitectures – like Golden Cove and Raptor Cove, found in the 12th, 13th and 14th generations of Intel Core processors, and the 5th and 6th generations of Xeon processors – which retains branch predictions such that they may still be used after IBPB should have invalidated them," explained Wikner. "Such post-barrier speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines."
- Critical default credential bug in Kubernetes Image Builder allows SSH root access
- Critical hardcoded SolarWinds credential now exploited in the wild
- Microsoft crafts Rust hypervisor to power Azure workloads
- Manifest file destiny: Declare your funding needs via JSON
Wikner and Razavi also managed to leak arbitrary kernel memory from an unprivileged process on AMD silicon built with its Zen 2 architecture.
Videos of the Intel and AMD attacks have been posted, with all the cinematic dynamism one might expect from command line interaction.
Intel chips – including Intel Core 12th, 13th, and 14th generation and Xeon 5th and 6th – may be vulnerable. On AMD Zen 1(+) and Zen 2 hardware, the issue potentially affects Linux users.
The relevant details were disclosed in June 2024, but Intel and AMD found the problem independently.
Intel fixed the issue in a microcode patch (INTEL-SA-00982) released in March, 2024. Nonetheless, some Intel hardware may not have received that microcode update.
In their technical summary, Wikner and Razavi observe: "This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper."
It appears Ubuntu has subsequently dealt with the issue.
AMD issued its own advisory in November 2022, in security bulletin AMD-SB-1040. The firm notes that hypervisor and/or operating system vendors have work to do on their own mitigations.
"Because AMD’s issue was previously known and tracked under AMD-SB-1040, AMD considers the issue a software bug," the researchers explain. "We are currently working with the Linux kernel maintainers to merge our proposed software patch." ®