GhostRace Vulnerability
Information about a new speculative execution attack, dubbed GhostRace (listed under CVE-2024-2193), this is a new method developed by researchers at the Vrije Universiteit Amsterdam and IBM to exploit the speculative execution mechanism present in modern processors from Intel, AMD, ARM and IBM.
The researchers mention that, GhostRace focuses on manipulating speculative race conditions to access previously freed memory areas, which can lead to the extraction of sensitive data from the Linux kernel, especially in virtualization environments where an attacker on a guest system can compromise the security of the host system or other guest systems.
How the attack works is based on the speculative execution of conditional instructions with synchronization primitives threading, such as mutex and spinlock.
If the processor incorrectly predicts branches in the code that handle these operations, speculative accesses can be made to memory that has already been freed. Although the processor discards these accesses after detecting the misprediction, the execution traces remain in the cache and can be recovered using side-channel analysis techniques.
GhostRace requires the presence of certain instruction sequences in the kernel, known as gadgets, which are used for speculative execution depending on external conditions controlled by the attacker. These gadgets They are formed from sections of code where the state is checked in an endless loop and exits the loop after removing the access lock to the resource. This allows you to falsely trigger a transition and execute instructions protected by a lock, even though the resource remains locked.
During vulnerability analysis, which was done in Linux kernel code 5.15.83, the presence of 1283 devices was revealed that could lead to speculative access to the memory already released. This type of attack represents a potential risk to virtualization systems, any operating system kernel, and programs that use thread synchronization primitives verified by conditional statements and run on platforms that allow speculative execution of branch operations, such as x86, ARM , RISC-V, among others.
To test the vulnerability, the researchers developed an exploit prototype that demonstrates the effectiveness of the attack by allowing extraction of data from the Linux kernel memory with a throughput of 12 KB per second and a level of reliability similar to the Specter class attacks.
The Linux kernel developers and CPU manufacturing companies were informed about this problem at the end of 2023. AMD has already published a report on the vulnerability and recommends using standard techniques to protect against attacks similar to Specter v1. On the other hand, Intel and ARM have not yet responded to this notification.
Although Linux kernel developers have no immediate plans to implement serialization of primitives synchronization Due to the loss of performance, they have already incorporated restrictions to protect against the IPI Storming exploit technique (CVE-2024-26602). This attack technique involves interrupting a process at the appropriate time to provide a time window for speculative access to freed memory.
To mitigate this type of attackWithe proposes to use the serialization of primitives synchronization by including an LFENCE statement after the cmpxchq statement that checks the lock status. However, This protection measure carries a performance penalty of approximately 5% in the LMBench benchmark, because the LFENCE statement disables preemptive execution of subsequent statements before committing all previous operations.
In the case of the hypervisor Xen, the developers have prepared changes to implement the LOCK_HARDEN protected locking mechanism, similar to the BRANCH_HARDEN method used above. However, due to potential negative performance impacts and lack of evidence of attacks in Xen, LOCK_HARDEN mode is disabled by default.
finally if you are interested in knowing more about it, you can check the details in the following link.