As a result of these findings, researchers have discovered yet another vulnerability in AMD and Intel microprocessors that could allow for Spectre-based attacks.
Researchers at the Swiss Federal Institute of Technology (ETH) Zurich have dubbed the flaws Retbleed and CVE-2022-29900 (for AMD) and CVE-2022-29901 (for Intel), and both companies have released patches as part of a coordinated disclosure process.
Spectre-BTI (CVE-2017-5715 or Spectre-V2) attacks exploit the side effects of an optimization technique called speculative execution by means of a timing side channel to trick a program into accessing arbitrary memory locations and leak private information. Retbleed is the latest addition to this class of attacks.
In order to increase a program's performance, speculative execution predicts which instruction will be executed next in order to fill the instruction pipeline, while also reversing the results of the execution should the guess prove to be incorrect.
In order to trick the processor into executing incorrect code paths and infer secret data about the victim, attacks like Spectre take advantage of the fact that these incorrectly executed instructions — a result of the prediction error — are bound to leave execution traces in the cache.
To put it simply, Spectre is an example of a transient execution attack that uses a hardware flaw to "influence" which instruction sequences are speculatively executed and leak encryption keys or passwords from the victim's memory.
Microarchitectural side channels like Flush+Reload measure the time it takes to perform memory reads from the shared cache, but only after flushing some of the shared memory, resulting in either fast or slow reads depending on whether the victim accessed the monitored cache line since it had been evicted from the cache.
Branch target injection (BTI) countermeasures like Retpoline (aka "return trampoline") have been devised to prevent this, but Retbleed is designed to get around this countermeasure and achieve speculative code execution.
Indirect jumps (branches where the branch target is determined at runtime) and calls are replaced by returns in retepolines, according to the researchers.
"It is the goal of Retbleed to gain arbitrary speculative code execution in the kernel context by hijacking a return instruction. Any kernel data can be leaked if the attacker has enough control over registers and/or memory at the return instruction of the victim."
Return instructions are to be treated as an attack vector for speculation execution, and the returns are to be predicted like indirect branches, effectively destroying the protections provided by Retpoline.
AMD has introduced Jmp2Ret, while Intel recommends using eIBRS even if Retpoline mitigations are in place.
According to Intel's advisory, "Windows operating system uses IBRS, so no update is required." Intel worked with the Linux community to provide software updates for this shortcoming.
Post a Comment
Your suggestions and comments are welcome