Brother
Professional
- Messages
- 2,590
- Reaction score
- 526
- Points
- 113
A group of researchers from the Free University of Amsterdam presented a new attack technique SLAM (Spectre Linear Address Masking), which offers a new way to exploit microarchitectural vulnerabilities of the Spectre class, in which data leaks occur when translating non-canonical addresses, and extensions provided in new processors for masking linear addresses are used to bypass canonicity checks. Researchers published a toolkit with the implementation of the method and offered a demonstration showing how to extract data corresponding to a certain mask from the kernel memory (it shows how to select a string with the root password hash from the kernel memory in a few tens of seconds in Ubuntu).
The attack can be carried out on systems with Intel processors that support the LAM (Linear Address Masking) extension, AMD processors with the UAI (Upper Address Ignore) extension, and ARM processors with the TBI (Top Byte Ignore) extension. These extensions allow you to use some of the bits of 64-bit pointers to store non-addressable metadata (normal programs do not require as much memory as 64-bit pointers can address, so the upper bits can be used, for example, for security-related checks). Interestingly, Intel, AMD, and ARM processors with LAM, UAI, and TBI support have only just been announced, but are not being mass-produced, making SLAM the first speculative attack on future CPUs. The attack can also be carried out on older AMD Zen+ and Zen 2 CPUs affected by the CVE-2020-12965 vulnerability.
Similar to exploiting Spectre vulnerabilities, a SLAM attack requires the kernel to have certain sequences of instructions (gadgets) that lead to speculative execution of instructions. Such instructions lead to speculative reading of data from memory, depending on external conditions that can be affected by the attacker. After determining an erroneous forecast, the result of speculative execution is discarded, but the processed data remains in the cache and can then be extracted using analysis via third-party channels. To extract data deposited in the cache, researchers use the Evict+Reload method, which is based on creating conditions for pushing data out of the cache (for example, creating an activity that evenly fills the cache with typical content) and performing operations whose execution time allows us to judge the presence of data in the processor cache.
To perform a SLAM attack, gadgets based on code are used, in which the data controlled by the attacker (below the "secret" variable) is used as a pointer. For example:
It is noted that such code templates are often used in programs, for example, tens of thousands of such gadgets have been identified in the Linux kernel, of which at least several hundred are suitable for use in exploits. The leak can be blocked by adding additional instructions to such gadgets that block speculative execution. Intel intends to provide a software method for blocking the leak before the start of delivery of processors with LAM support. AMD recommended using existing methods to block Specter v2 attacks. Developers of the Linux kernel decided to disable LAM support by default to protect against an attack until Intel's recommendations on blocking the vulnerability are published.
The attack can be carried out on systems with Intel processors that support the LAM (Linear Address Masking) extension, AMD processors with the UAI (Upper Address Ignore) extension, and ARM processors with the TBI (Top Byte Ignore) extension. These extensions allow you to use some of the bits of 64-bit pointers to store non-addressable metadata (normal programs do not require as much memory as 64-bit pointers can address, so the upper bits can be used, for example, for security-related checks). Interestingly, Intel, AMD, and ARM processors with LAM, UAI, and TBI support have only just been announced, but are not being mass-produced, making SLAM the first speculative attack on future CPUs. The attack can also be carried out on older AMD Zen+ and Zen 2 CPUs affected by the CVE-2020-12965 vulnerability.
Similar to exploiting Spectre vulnerabilities, a SLAM attack requires the kernel to have certain sequences of instructions (gadgets) that lead to speculative execution of instructions. Such instructions lead to speculative reading of data from memory, depending on external conditions that can be affected by the attacker. After determining an erroneous forecast, the result of speculative execution is discarded, but the processed data remains in the cache and can then be extracted using analysis via third-party channels. To extract data deposited in the cache, researchers use the Evict+Reload method, which is based on creating conditions for pushing data out of the cache (for example, creating an activity that evenly fills the cache with typical content) and performing operations whose execution time allows us to judge the presence of data in the processor cache.
To perform a SLAM attack, gadgets based on code are used, in which the data controlled by the attacker (below the "secret" variable) is used as a pointer. For example:
Code:
void unmasked_gadget(long **secret) {
**secret;
}It is noted that such code templates are often used in programs, for example, tens of thousands of such gadgets have been identified in the Linux kernel, of which at least several hundred are suitable for use in exploits. The leak can be blocked by adding additional instructions to such gadgets that block speculative execution. Intel intends to provide a software method for blocking the leak before the start of delivery of processors with LAM support. AMD recommended using existing methods to block Specter v2 attacks. Developers of the Linux kernel decided to disable LAM support by default to protect against an attack until Intel's recommendations on blocking the vulnerability are published.
