Speculative attacks continue to find loopholes even in modern processors.
It's been more than six years since the legendary Spectre vulnerability was discovered, however, the latest AMD and Intel CPUs are still susceptible to speculative execution attacks.
This is the conclusion reached by researchers from ETH Zürich, Johannes Wikner and Kaveh Razavi, in their recent work titled "Breaking the Barrier: Post-Barrier Spectre Attacks". They found that the Indirect Branch Predictor Barrier (IBPB) protection used in x86 processors did not provide complete protection against data leaks.
Speculative execution is used to speed up processors by predicting the progress of a program. However, in the event of an erroneous prediction, the instructions are canceled, but they still have time to load confidential data into the cache, which opens access to attackers.
Intel explains that IBPB serves as a barrier to prevent the use of jump predictions after executing certain instructions. However, research by ETH Zürich has shown that microcode in Intel architectures such as Golden Cove and Raptor Cove contains a vulnerability that allows it to bypass this barrier. The researchers called the attack the first "Spectre end-to-end interprocess leak".
A similar vulnerability has been found to be present in AMD Zen 1(+) and Zen 2 processors: due to the nature of IBPB in the Linux kernel, unauthorized users can access privileged memory using an attack codenamed Post-Barrier Inception (PB-Inception).
Intel has already released a patch to address this vulnerability (CVE-2023-38575). AMD is tracking the issue as CVE-2022-23824 and recommends that users install kernel updates for protection.
In March of this year, the same researchers from ETH Zürich already presented new attack techniques based on the RowHammer method — ZenHammer and SpyHammer. The latter uses the effect of temperature on RAM to determine the activity of the system. This technique allows attackers to monitor changes in room temperature and potentially gather information about the victim's daily routine.
Experts call for the development of more reliable protection against RowHammer and similar attacks, because with the development of technology, they become even more dangerous.
Source
It's been more than six years since the legendary Spectre vulnerability was discovered, however, the latest AMD and Intel CPUs are still susceptible to speculative execution attacks.
This is the conclusion reached by researchers from ETH Zürich, Johannes Wikner and Kaveh Razavi, in their recent work titled "Breaking the Barrier: Post-Barrier Spectre Attacks". They found that the Indirect Branch Predictor Barrier (IBPB) protection used in x86 processors did not provide complete protection against data leaks.
Speculative execution is used to speed up processors by predicting the progress of a program. However, in the event of an erroneous prediction, the instructions are canceled, but they still have time to load confidential data into the cache, which opens access to attackers.
Intel explains that IBPB serves as a barrier to prevent the use of jump predictions after executing certain instructions. However, research by ETH Zürich has shown that microcode in Intel architectures such as Golden Cove and Raptor Cove contains a vulnerability that allows it to bypass this barrier. The researchers called the attack the first "Spectre end-to-end interprocess leak".
A similar vulnerability has been found to be present in AMD Zen 1(+) and Zen 2 processors: due to the nature of IBPB in the Linux kernel, unauthorized users can access privileged memory using an attack codenamed Post-Barrier Inception (PB-Inception).
Intel has already released a patch to address this vulnerability (CVE-2023-38575). AMD is tracking the issue as CVE-2022-23824 and recommends that users install kernel updates for protection.
In March of this year, the same researchers from ETH Zürich already presented new attack techniques based on the RowHammer method — ZenHammer and SpyHammer. The latter uses the effect of temperature on RAM to determine the activity of the system. This technique allows attackers to monitor changes in room temperature and potentially gather information about the victim's daily routine.
Experts call for the development of more reliable protection against RowHammer and similar attacks, because with the development of technology, they become even more dangerous.
Source
