Home>Blog>The Hacker News Headlines>Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
The Hacker News Headlines

Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks

Side-Channel AttacksSide-Channel Attacks

It turns out that the root cause behind several previously
disclosed speculative execution attacks against modern processors,
such as Meltdown[1] and Foreshadow[2], was misattributed to
‘prefetching effect,’ resulting in hardware vendors releasing
incomplete mitigations and countermeasures.

Sharing its findings with The Hacker News, a group of academics
from the Graz University of Technology and CISPA Helmholtz Center
for Information Security finally revealed the exact reason behind
why the kernel addresses are cached in the first place, as well as
presented several new attacks that exploit the previously
unidentified underlying issue, allowing attackers to sniff out
sensitive data.

The new research explains microarchitectural
attacks were actually caused by speculative dereferencing of
user-space registers in the kernel, which not just impacts the most
recent Intel CPUs with the latest hardware mitigations, but also
several modern processors from ARM, IBM, and AMD — previously
believed to be unaffected.
[3]

cybersecurity

“We discovered that effects reported in several academic papers
over the past 4 years were not correctly understood, leading to
incorrect assumptions on countermeasures,” the researchers told The
Hacker News.

“This prefetching effect[4]
is actually unrelated to software prefetch instructions or hardware
prefetching effects due to memory accesses and instead is caused by
speculative dereferencing of user-space registers in the
kernel.”

Besides analyzing the actual root cause of the prefetching
effect, some other key findings from the research are:

  • Discovery of several new attacks exploiting the underlying root
    cause, including an address-translation attack in more restricted
    contexts, direct leakage of register values in specific scenarios,
    and an end-to-end Foreshadow exploit targeting non-L1 data.
  • A novel cross-core covert channel attack that, in some
    instances, could let attackers observe caching of the address (or
    value) stored in a register without relying on shared memory.
  • Spectre ‘prefetch’ gadgets can directly leak actual data, which
    not only makes ZombieLoad
    attack    [5] efficient on Intel CPUs
    to leak sensitive data from internal buffers or memory but also
    impact non-Intel CPUs.
  • The speculative dereferencing issue — in certain attacks like
    Rowhammer[6], cache attacks, and
    DRAMA — could let attackers recover the physical addresses of
    JavaScript variables and exfiltrate information via transient
    execution    [7] remotely via a web
    browser.

Additionally, researchers also demonstrated that the Foreshadow
vulnerability on Intel CPUs could be exploited even when the
recommended mitigations are enabled. This is made possible due to
the fact the attack can be mounted on data not residing in L1 cache
on kernel versions containing ‘prefetch’ gadgets.

From Address Translation Attack to Foreshadow

The idea behind this is straight-forward. System software relies on
the CPU’s address translation mechanism to implement isolation
among different processes. Each process has its own virtual memory
space and cannot access arbitrary physical memory addresses outside
of it.
Address translation, thus, acts as an intermediate layer that maps
the virtual address space, which is used by a program, to the
physical address to a physical address.

The virtual address space also includes a kernel address space
to house Linux kernel threads, thus making it easy for the
underlying hardware to handle privileged instructions from user
threads in kernel mode.

While operating system kernels can be secured against prefetch
side-channel attacks via a technique called kernel page-table
isolation (KPTI[8] or KAISER[9]) — which enforces a
strict kernel and userspace isolation such that the hardware does
not hold any information about kernel addresses while running in
user mode — the researchers found that it does not guarantee full
protection from address-translation attacks, where an attacker
tries to check if two different virtual addresses map to the same
physical address.

Put differently, the “address-translation attack allows
unprivileged applications to fetch arbitrary kernel addresses into
the cache and thus resolve virtual to physical addresses on 64-bit
Linux systems.”

While the original line of thought was that such attacks were
related to prefetch instructions, the new finding proves otherwise,
thereby validating that KAISER isn’t an adequate countermeasure
against microarchitectural side-channel attacks on kernel
isolation.

Instead, it exploits a Spectre-BTB-SA-IP (Branch Target Buffer,
same address, in-place) gadget to cause information leakage,
causing speculative execution, and further carry out Meltdown and
Foreshadow (L1 Terminal Fault) attacks by bypassing current L1TF
mitigations.

Spectre-BTB-SA-IP[10] is a variant of Spectre
vulnerability[11] that exploits the
Branch Target Buffer — a cache-like component in CPUs that’s used
for branch prediction — to perform attacks within the same address
space and the same branch location.

“The same prefetching effect can be used to perform Foreshadow,”
the researchers said. “If a secret is present in the L3 cache and
the direct-physical map address is derefenced in the hypervisor
kernel, data can be fetched into the L1. This reenables Foreshadow
even with Foreshadow mitigations enabled if the unrelated
Spectre-BTB mitigations are disabled.”

“The consequence is that we are able to mount a Foreshadow
attack on older kernels patched against Foreshadow with all
mitigations enabled and on a fully patched kernel if only
Spectre-v2 mitigations are disabled.”

Enable Spectre-BTB mitigations such as Retpoline

To highlight the impact of the side-channel attacks, the
researchers established a cache-based covert channel that
exfiltrated data from a process running on an Intel Core i7-6500U
CPU to another stealthy process, achieving a transmission rate of
10 bit/s to relay a total of 128 bytes from the sender to the
receiver process.
Furthermore, the researchers disclosed that it’s possible to leak
register contents from an SGX enclave of Intel CPUs using a
register that’s speculatively dereferenced (called “Dereference
Trap”), using it to recover a 32-bit value stored in a 64-bit
register within 15 minutes.

Lastly, ‘certain attacks’ can now be mounted remotely using
JavaScript in a web browser, and “fill 64-bit registers with an
attacker-controlled value in JavaScript by using WebAssembly.”

To mitigate these attacks, it’s recommended that current CPUs
enable Spectre-BTB mitigations, including retpoline (short
for “return trampoline”), which aims to prevent
branch-target-injection by isolating indirect
branches from speculative execution.
[12][13][14]

References

  1. ^
    Meltdown
    (thehackernews.com)
  2. ^
    Foreshadow
    (thehackernews.com)
  3. ^
    new research explains
    (arxiv.org)
  4. ^
    prefetching effect
    (gruss.cc)
  5. ^
    ZombieLoad attack
    (thehackernews.com)
  6. ^
    Rowhammer
    (thehackernews.com)
  7. ^
    transient execution
    (gruss.cc)
  8. ^
    KPTI
    (en.wikipedia.org)
  9. ^
    KAISER
    (gruss.cc)
  10. ^
    Spectre-BTB-SA-IP
    (thehackernews.com)
  11. ^
    Spectre vulnerability
    (arxiv.org)
  12. ^
    retpoline
    (support.google.com)
  13. ^
    prevent branch-target-injection
    (software.intel.com)
  14. ^
    indirect branches
    (en.wikipedia.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.