How virtualization helps you steal passwords.
Scientists from the University of Amsterdam have discovered a new attack technique called Native BHI, which allows a hacker to access data in the Linux kernel memory on computers with Intel processors. This method is particularly dangerous under virtualization conditions, since an attacker can get into the memory of the host or other virtual machines from their virtual environment.
Native BHI (CVE-2024-2201) is an improvement on the previous BHI (Branch History Injection) vulnerability CVE-2022-0001, which was discovered in 2022. Unlike the original approach, which required the user to execute special eBPF code in the kernel for a successful attack, the new method does not require such privileges and can be implemented by any user.
The technique is based on the use of special sequences of commands (gadgets) in the kernel code, which cause speculative execution of instructions (Speculative execution). Experts created the InSpectre Gadget toolkit, which detected a significant number of such gadgets in the 6.6-rc4 kernel, allowing you to develop an exploit to extract confidential information (password hashes from the /etc/shadow file), at a speed of about 3.5 Kb/s.
BHI is a type of Spectre-v2 attack designed to bypass the protection mechanisms of processors and operating systems. The basic idea is to manipulate the history of executed jumps in the processor to cause incorrect speculative execution and retrieve data from the cache. This is achieved by embedding data in a buffer with a global jump history, which is different from the earlier Spectre attack, which uses a branch prediction buffer.
Traditional security mechanisms, such as Intel's Indirect Branch Tracking (IBT) instructions and the FineIBT software / hardware hybrid, cannot withstand the new attack method. In response, additional security measures have been implemented in the Linux kernel, including Intel hardware protection (BHI_DIS_S) and software solutions for the KVM hypervisor. Updates to the Linux kernel versions (6.8.5, 6.6.26, 6.1.85, and 5.15.154) and the Xen hypervisor have also been released, including new security measures.
To provide protection against the vulnerability, the latest Intel processors offer built-in hardware protection tools, and for older processor models, software methods are proposed that prevent exploiting the flaw. The effectiveness and impact of software protection measures on performance are still unknown.
Scientists from the University of Amsterdam have discovered a new attack technique called Native BHI, which allows a hacker to access data in the Linux kernel memory on computers with Intel processors. This method is particularly dangerous under virtualization conditions, since an attacker can get into the memory of the host or other virtual machines from their virtual environment.
Native BHI (CVE-2024-2201) is an improvement on the previous BHI (Branch History Injection) vulnerability CVE-2022-0001, which was discovered in 2022. Unlike the original approach, which required the user to execute special eBPF code in the kernel for a successful attack, the new method does not require such privileges and can be implemented by any user.
The technique is based on the use of special sequences of commands (gadgets) in the kernel code, which cause speculative execution of instructions (Speculative execution). Experts created the InSpectre Gadget toolkit, which detected a significant number of such gadgets in the 6.6-rc4 kernel, allowing you to develop an exploit to extract confidential information (password hashes from the /etc/shadow file), at a speed of about 3.5 Kb/s.
BHI is a type of Spectre-v2 attack designed to bypass the protection mechanisms of processors and operating systems. The basic idea is to manipulate the history of executed jumps in the processor to cause incorrect speculative execution and retrieve data from the cache. This is achieved by embedding data in a buffer with a global jump history, which is different from the earlier Spectre attack, which uses a branch prediction buffer.
Traditional security mechanisms, such as Intel's Indirect Branch Tracking (IBT) instructions and the FineIBT software / hardware hybrid, cannot withstand the new attack method. In response, additional security measures have been implemented in the Linux kernel, including Intel hardware protection (BHI_DIS_S) and software solutions for the KVM hypervisor. Updates to the Linux kernel versions (6.8.5, 6.6.26, 6.1.85, and 5.15.154) and the Xen hypervisor have also been released, including new security measures.
To provide protection against the vulnerability, the latest Intel processors offer built-in hardware protection tools, and for older processor models, software methods are proposed that prevent exploiting the flaw. The effectiveness and impact of software protection measures on performance are still unknown.
