Latest Study Uncovers Continued Existence of Spectre Flaw in Newest AMD and Intel CPUs
Over half a decade after the Revealing of Spectre vulnerability affecting current CPU processors, a new report indicates that the most recent AMD and Intel CPUs are still at risk of speculative execution threats.
The exploit, made public by researchers at ETH Zurich, Johannes Wikner and Kaveh Razavi, is designed to weaken the Indirect Branch Predictor Barrier (IBPB) on x86 chips, which serves as a critical defense against speculative execution attacks.
Speculative execution involves a functionality enhancement feature where modern CPUs execute particular instructions out of sequence by predicting the program’s future path, thereby accelerating the process if the prediction is correct.
If a misprediction occurs, the instructions, referred to as transient, are invalidated and eliminated before the CPU can continue with the correct information.
Even though the speculative execution outcomes are not permanently saved in the system’s program state, there remains a risk of loading sensitive data into processor caches via a coerced misprediction, thereby exposing it to malicious actors who would otherwise be barred from accessing it.
Intel defines the IBPB as an “oblique branch control mechanism that creates a barricade against software that ran prior to the barrier from influencing the forecasted objectives of indirect branches run after the barrier on the same logical processor.”
It’s meant to counter Branch Target Injection (BTI), also known as Spectre v2 (CVE-2017-5715), a cross-domain transient execution attack that exploits indirect branch predictors to trigger a disclosure gadget to be speculated and executed.
A disclosure gadget allows attackers to access the victim’s confidential information that is typically not visible and exfiltrate it using a covert channel.
The fresh revelations from ETH Zurich suggest that an Intel microcode issue in microarchitectures like Golden Cove and Raptor Cove could be leveraged to bypass the IBPB. This exploit has been characterized as the initial practical “complete cross-process Spectre leak.”
The flaw in microcode “maintains branch predictions to allow their use post-IBPB deactivation,” as per the researchers. “This post-barrier speculation empowers attackers to surpass security boundaries imposed by process contexts and virtual machines.”
The study also found that AMD’s equivalent of IBPB could be evaded due to the way IBPB is implemented by the Linux kernel, leading to an attack – named Post-Barrier Inception (PB-Inception) – that allows an unauthorized entity to expose privileged memory on AMD Zen 1(+) and Zen 2 processors.
Intel has issued a microcode update to mitigate the issue (CVE-2023-38575, CVSS score: 5.5). Meanwhile, AMD is tracking the vulnerability under CVE-2022-23824, according to an advisory released in November 2022.
“Intel users should ensure their intel-microcode is current,” noted the researchers. “AMD users should install kernel updates to stay safe.”
This revelation follows an earlier disclosure by ETH Zurich researchers about novel RowHammer attack tactics codenamed ZenHammer and SpyHammer, with the latter utilizing RowHammer to accurately determine DRAM temperature.
“RowHammer is extremely sensitive to temperature fluctuations, even minor ones (e.g., ±1 °C),” the report highlighted. “There’s a consistent increase (or decrease) in RowHammer-induced bit errors as the temperature rises, and specific vulnerable DRAM cells exhibit bit errors only at specific temperatures.”
By exploiting the link between RowHammer and temperature, attackers could determine the system’s activity and assess the surrounding temperature. This technique could violate privacy by using temperature readings to deduce a person’s routines at home and the times they enter or exit a room.
“SpyHammer stands as a straightforward and potent attack for monitoring the temperature of crucial systems sans prior knowledge about the victim’s system,” the researchers pointed out.
“Until a definitive and entirely secure defense mechanism against RowHammer is put in place – which poses a considerable challenge due to the worsening nature of RowHammer vulnerability with technological advances – SpyHammer could continue to pose a security and privacy risk for systems.”
About Author
