The news recently broke thate a group of researchers from ETH Zurich has identified a new attack to the speculative execution mechanism of indirect jumps in the CPU, which allows extracting information from the kernel memory or organizing an attack on the host system from virtual machines.
The vulnerabilities were codenamed Retbleed (already cataloged under CVE-2022-29900, CVE-2022-29901) and are similar in nature to Spectre-v2 attacks.
The difference boils down to organizing the speculative execution of arbitrary code by processing the "ret" (return) instruction, which retrieves the address to jump from the stack, rather than indirectly jumping using the "jmp" instruction, loading the address from memory or a CPU register.
About the new attack it is mentioned that an attacker can create conditions for a fork prediction incorrect and organize an intentional speculative jump to a block of code that is not intended by the execution logic of the program.
Ultimately, the processor will determine that the branch prediction was not justified and will roll back the operation to its original state, but the processed data During speculative execution they will sit in the cache and microarchitectural buffers. If an erroneously executed block performs a memory access, then its speculative execution will lead to the installation in the general cache and the reading of data from memory.
To determine the data remaining in the cache after the speculative execution of operations, the attacker can use methods to determine the residual data through third-party channels, for example, analyzing changes in cached data access time and not cached.
For intentional extraction of information from areas at a different privilege level (for example, from kernel memory), "devices" are used: scripts present in the kernel, suitable for speculative reading of data from memory, depending on external conditions it can be influenced by an attacker.
To protect against classic Specter class attacks, which use indirect and conditional branch instructions, most operating systems use the "retpoline" technique, which is based on replacing indirect branch operations with the "ret" instruction, for which a separate stack state prediction is required unit is used in processors, does not use a branch prediction block.
At the introduction of retpoline in 2018, Spectre-like address manipulation was believed to be impractical for speculative forking with the "ret" instruction.
The researchers who developed the attack method Retbleed demonstrated the possibility of creating microarchitectural conditions to initiate a speculative transition using the "ret" instruction and released a ready-made toolkit to identify suitable instruction sequences (gadgets) to exploit the vulnerability in the Linux kernel in which such conditions appear.
Over the course of the study, a working exploit was prepared which allows, on systems with Intel CPUs, from an unprivileged process in user space to extract arbitrary data from kernel memory at a rate of 219 bytes per second and with 98% accuracy.
En the processors AMD, the efficiency of the exploit is much higher, since the leak rate is 3,9 KB per second. As a practical example, it is shown how to use the proposed exploit to determine the contents of the /etc/shadow file. On systems with Intel CPUs, an attack to determine the root password hash was performed in 28 minutes, and on systems with AMD CPUs, in 6 minutes.
The attack was confirmed for 6-8 generations of Intel processors that were released before Q2019 1 (including Skylake) and AMD processors based on Zen 1, Zen 2+, and Zen 2021 microarchitectures that were released before QXNUMX XNUMX. On newer processor models, such as AMD Zen3 and Intel Alder Lake, as well as ARM processors, the problem is blocked by existing protection mechanisms. For example, the use of IBRS (Indirect Branch Restricted Speculation) instructions helps protect against an attack.
Prepared a set of changes for the Linux kernel and the Xen hypervisor, which block the problem programmatically on older CPUs. The proposed Linux kernel patch changes 68 files, adds 1783 lines, and removes 387 lines.
Unfortunately, protection incurs significant overhead costs: in texts made on AMD and Intel processors, performance degradation is estimated to be between 14% and 39%. It is more preferable to use protection based on IBRS instructions, available in newer generations of Intel CPUs and supported since Linux kernel 4.19.
Finally, if you are interested in knowing more about it, you can consult the details in the following link.