Researchers at Vrije Universiteit Amsterdam say: slum Exploitation of this could lead to the disclosure of sensitive information from the kernel memory of current and upcoming CPUs from Intel, AMD, and Arm.
This attack is an end-to-end Specter exploit based on new features of Intel CPUs. linear address masking (rum) and AMD’s similar counterpart (called Ignore upper address or UAI) and arm (called) Ignore high byte or traumatic brain injury).
“SLAM exploits unmasked gadgets to leak arbitrary ASCII kernel data from userland processes,” VUSec researchers say SaidIt further adds that this could be used to leak the root password hash from kernel memory within minutes.
Cracking the Code: Learn how cyber attackers exploit human psychology
Have you ever wondered why social engineering is so effective? Dive deeper into the psychology of cyber attackers in an upcoming webinar.
Although LAM is presented as a security feature, the study found that it ironically reduces security and “dramatically” increases Specter’s attack surface, resulting in temporary execution attacks. Did. speculative execution Extract sensitive data via covert channels in cache.
“Temporary execution attacks exploit the microarchitectural side effects of temporary instructions and allow malicious attackers to access information that would normally be prohibited by the architecture’s access control mechanisms,” Intel said. . To tell Described in the terminology document.
Said to be the first temporary execution attack targeting future CPUs, SLAM leverages a new covert channel based on non-canonical address translation to facilitate practical exploitation of generic Specter gadgets to leak valuable information. To do. Affects the following CPUs:
- Existing AMD CPUs have the following vulnerabilities: CVE-2020-12965
- Future Intel CPUs that support LAM (both 4-level and 5-level paging)
- Future AMD CPUs that support UAI and 5-level paging
- Future Arm CPUs supporting TBI and 5-level paging
“Arm systems already mitigate Specter v2 and BHB, and it is considered the software’s responsibility to protect against Specter v1.” Arm Said With recommendations. “The techniques described here only increase the attack surface for existing vulnerabilities such as Specter v2 and BHB by increasing the number of exploitable gadgets.”
AMD also points to current Specter v2 mitigations to address SLAM exploits. Meanwhile, Intel plans to provide software guidance ahead of future releases of Intel processors that support LAM. In the meantime, a Linux maintainer has developed a patch that disables LAM by default.
The findings were published nearly two months after VUSec was uncovered. quarantineIt mitigates transient execution attacks, achieves physical domain separation by partitioning the last level cache (LLC) and giving all security domains exclusive access to different parts of the LLC, and It is a software-only approach aimed at eliminating covert channels.
“Quarantine’s physical domain separation separates different security domains into separate cores and prevents them from sharing core-local microarchitectural resources,” the researchers said. “Additionally, unshare the LLC and split it across security domains.”