Researchers at the ETH Zurich (ETH Zurich) have identified a new type of attack on the speculative execution mechanism in processors that allows data to be retrieved from kernel memory. With the help of the discovered method, dubbed Retbleed, it is possible to steal passwords and other sensitive data. Researchers have proven the effectiveness of Retbleed against modern Intel and AMD chips, including Kaby Lake, Coffee Lake, Zen 1, Zen 1+ and Zen 2.
The difference between Retbleed (vulnerabilities CVE-2022-29900 and CVE-2022-29901) and Specter-v2 comes down to the organization of speculative execution of arbitrary code when processing the “ret” (return) instruction, which extracts the address to jump from the stack, instead of indirectly jumping using “jmp” instructions loading an address from memory or a processor register. An attacker can create conditions for incorrect branch prediction and organize a purposeful speculative jump to a code block that is not provided for by the program execution logic.
As a result, the processor will determine that the branch prediction was not justified and will roll back the operation to its original state, but the data processed during speculative execution will remain in the cache and microarchitectural buffers. If an erroneously executed block accesses memory, then its speculative execution will cause the data read from memory to be transferred to the cache. To determine data from the cache, an attacker can use methods to detect residual data through third-party channels, for example, analysis of changes in access time to cached and non-cached data.
To protect against attacks of the Specter class using conditional and indirect jump instructions, many operating systems use the “retpoline” technique, which involves replacing indirect jump operations with the “ret” instruction, for which processors use a separate stack state prediction block that does not use a branch prediction block . The authors of the Retbleed attack method demonstrated the possibility of organizing microarchitectural conditions to initiate a speculative transition using the “ret” instruction and published a tool to identify in the Linux kernel suitable sequences of instructions for exploiting the vulnerability, in which such conditions appear.
As part of the work done, the researchers prepared an exploit that allows, on systems with Intel processors, from an unprivileged process in user space to extract arbitrary data from kernel memory at a speed of 219 bytes / s and 98% accuracy. On AMD processors, the leak rate can be as high as 3.9 KB/s. This seems like a small speed, but it is quite enough for stealing confidential data. As an example, the researchers showed how to use an exploit to determine the contents of the /etc/shadow file. On systems with Intel processors, the attack to determine the root password hash took 28 minutes, and on systems with AMD processors, it took 6 minutes.
According to reports, the Retbleed attack scheme can be used on systems with Intel processors from the sixth to the eighth generation, which were released before the third quarter of 2019, as well as AMD processors based on the Zen 1, Zen 1+ and Zen 2 architectures, which were released before the second quarter of 2019. quarter of 2021. In newer processors, such an attack is blocked by existing protection mechanisms.
Intel and AMD have released official guidelines to help mitigate the risks associated with the exploitation of these vulnerabilities. It is noted that protection against attacks according to the Retbleed scheme will require from 12 to 28% of additional computational costs. In other words, “patches” for discovered vulnerabilities can greatly reduce the performance of affected processors.
Intel has confirmed the relevance of the vulnerability for processors based on the Skylake architecture and related to it, which do not have eIRBS protection. The report says that the company is preparing detailed recommendations to minimize risks. It is noted that Windows systems are not affected, since they use IBRS technology by default, which allows you to regulate the speculative execution of instructions by the processor. Intel is not aware of any exploitation of this vulnerability. AMD has also published related recommendations to protect systems from Retbleed attacks.
If you notice an error, select it with the mouse and press CTRL + ENTER.