More than six years later Specter security issue impact on today’s CPU processors has been revealed, a new study has shown that the latest AMD and Intel processors are still susceptible to speculative execution attacks.
attack opened by ETH Zürich researchers Johannes Wikner and Kave Razavi aims to break down the barrier of an indirect predictor of industries (IBPB) on x86 chips, an important countermeasure against speculative execution attacks.
Speculative performance refers to a performance optimization feature however, modern processors execute certain instructions out of order, predicting program branching in advance, thus speeding up the task if the value used speculatively was correct.
If this results in a false prediction, the instructions, called transients, are invalidated and suppressed before the processor can resume execution with the correct value.
Although the execution results of transient instructions are unrelated to the architectural state of the program, they can still load certain sensitive data into the CPU cache through forced misprediction, thereby exposing it to a malicious adversary that would otherwise be blocked from accessing it to them. .
Intel describes IBPB as “a branch indirection control mechanism that establishes a barrier preventing software that was executing before the barrier from controlling the predicted targets of indirections that execute after the barrier on the same logical processor”.
It is used as a way to counter Branch Target injection (BTI), also known as Specter v2 (CVE-2017-5715), is a cross-domain transient execution attack (TEA) that exploits indirect branch predictors used by processors to cause disclosure gadget be speculatively executed.
A disclosure gadget refers to an attacker’s ability to access a victim’s secret that is otherwise architecturally invisible and obtain it through a covert channel.
Recent findings from ETH Zürich show that a microcode bug in Intel microarchitectures such as Golden Cove and Raptor Cove can be used to bypass IBPB. The attack was described as the first practical “end-to-end Spectre cross-process leak”.
The microcode flaw “preserves branch predictions in such a way that they can still be used after IBPB should have invalidated them,” the researchers said. “Such post-barrier speculation allows an attacker to bypass the security boundaries set by process contexts and virtual machines.”
Research has shown that AMD’s IBPB variant can be bypassed in the same way due to the way IBPB is applied by the Linux kernel, resulting in an attack codenamed Post-Barrier The beginning (aka PB-Inception) – This allows an unprivileged adversary to leak privileged memory on AMD Zen 1(+) and Zen 2 processors.
Intel has made available a microcode patch refer to problem (CVE-2023-38575, CVSS score: 5.5). AMD, for its part, is tracking the vulnerability as CVE-2022-23824, according to advisory released in November 2022.
“Intel users should make sure their intel microcode is updated,” the researchers said. “AMD users should be sure to install kernel updates.”
The disclosure comes months after ETH Zürich researchers detailed new attack methods codenamed RowHammer ZenHammer and SpyHammer, the latter of which uses RowHammer to determine DRAM temperatures with high accuracy.
“The RowHammer is very sensitive to temperature changes, even if they are very small (eg ±1 °C),” the study says. said. “The percentage of bit errors caused by RowHammer constantly increases (or decreases) as temperature increases, and some DRAM cells vulnerable to RowHammer only detect bit errors at a certain temperature.”
Using the correlation between RowHammer and temperature, an attacker can determine computer system usage and measure ambient temperature. The attack could also compromise privacy by using temperature measurements to determine a person’s home habits and when they enter and leave a room.
“SpyHammer is a simple and effective attack that can spy on the temperature of critical systems without modification or prior knowledge of the victim system,” the researchers noted.
“SpyHammer could be a potential threat to the security and privacy of systems until a definitive and fully secure RowHammer defense mechanism is adopted, which is a big problem given that the RowHammer vulnerability continues to worsen as the technology scales.”
