The hardware countermeasures that have been put in place on Intel and ARM processors in the past few years to remove a major flaw called Specter are not as strong as thought. Scientists have developed a new attack method that can overcome defense mechanisms, but its use is not as easy as the original wormhole.

The new attack, discovered by researchers from Systems and Network Security Group at VU Amsterdam (VUSec), is called Specter-BHI (Branch History Injection) or Specter-BHB (Branch History Store) because Intel and ARM have given it different names. According to the research team, this is an extension of the 2017 Specter v2 attack, also known as Specter-BTI (Branch Target Injection), and like Specter v2, it can leak sensitive information from the privileged kernel memory space.

Check also:

A proof-of-concept exploit by VUSec researchers is to leak root password hashes from /etc/shadow using a non-privileged account. The /etc/shadow file is a system file on Linux that can only be accessed by the administrative root account. Essentially, the exploit forces the kernel to load a file into memory where it would normally be protected from access by unprivileged processes, but then uses a Specter-BHI attack to access and leak its contents. This is a serious breach of the basic security boundary in modern operating systems that separates user-mode applications and memory space from the privileged kernel memory space.

What is Specter?

Specter is a class of vulnerabilities, originally revealed in January 2017, that arise from a modern CPU performance feature called speculative execution, in which the CPU attempts to predict in advance the path a program will take when it accesses a conditional branch and executes instructions along this Track early. If the predictions, based on internal algorithms, turn out to be wrong, the results stored in the processor cache will be discarded. Speculative execution attacks like Specter and many others that have followed use this mechanism to leak information from temporary caches that act as side channels.

“At the time Specter was discovered, Branch Target Injection (BTI or Specter-v2), the most dangerous type of Specter, was easy to use at all permission levels,” the VUSec researchers explain. “For example, a non-privileged userland attacker could pass any child target to an intermediate userland branch predictor and force the kernel to speculatively jump to the injected code target and execute whatever code is there.”

To reduce the risk, software vendors such as Google and Linux kernel makers have developed software solutions such as retpoline. Although it was effective, it caused a significant decrease in performance, so later processor manufacturers developed hardware security. Intel’s solution is called EIBRS and ARM is CSV2.

“These solutions are complex – the original research article is available at this link – but their core is that the predictor ‘somehow’ keeps track of the permission level (user/kernel) at which the target is executed,” explain the VUSec researchers. “And as you would expect, if the target belongs to a lower privilege level, the kernel will not use it (ie there will be no more random attacker-provided code locations that can be seized speculatively for the kernel’s control flow).”

The problem, however, is that the CPU predictor relies on global history to select target entries for speculative execution, and as the VUSec researchers have demonstrated, this global history can be corrupted. In other words, while the original Specter v2 allowed attackers to physically inject the target code’s location and then stealthily execute that code by the kernel, the new Specter-BHI/BHB attack could force the kernel to mis-predict and execute something interesting. Gadgets or code snippets that already exist. It is in the history and was made in the past, but it may lead to data leakage.

“Has Intel eIBRS and Arm CSV2 corrupted? As if. This means that security measures are working as intended, but the remaining attack surface is more important than manufacturers originally assumed. […] However, finding tools that can be used is becoming more and more important.” More difficult than before because an attacker cannot inject target targets directly across permission limits.”

Mitigating the new Specter-BHI bug

Intel identified the new Specter-BHI as CVE-2022-0001 for the multi-privileged variant and CVE-2022-0002 for the multi-privileged variant. ARM describes it as CVE- 2022-23960 for both variants.

According to Intel, most of the company’s processors are affected, with the exception of those in the Atom family. For ARM, the weak CPUs are Cortex-A15, Cortex-A57, Cortex-A72, Cortex-A73, Cortex-A75, Cortex-A76, Cortex-A76AE, Cortex-A77, Cortex-A78, Cortex-A78AE, Cortex – A78C Cortex-X1, Cortex-X2, Cortex-A710, Neoverse N1, Neoverse N2, Neoverse V1.

Both companies have made recommendations and are offering software countermeasures at this time. ARM has five different mitigation solutions depending on the system.

In their Linux exploit, the VUSec researchers used eBPF, a technology available since version 4.4 of the kernel that allows programs to be sandboxed in the operating system’s kernel. While eBPF is not part of the underlying problem and other code tools that can leak data can be found, the presence of a non-privileged eBPF “greatly facilitates speculative (and other) attacks,” the researchers said. For this reason, they recommend disabling it, and some Linux distributions have started to disable it by default.

Source: CSO

Watch also