If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Intel recently announced, the news that I detect a vulnerability microarchitecture (listed under CVE-2023-28746) on Intel Atom processors (E-core), known as RFDS (Register File Data Sampling) and the danger of this vulnerability lies in the fact that it allows the data used by a process that was previously running on the same CPU core to be determined.
RFDS is a vulnerability that shares similarities with data sampling attacks, like microarchitectural data sampling (MDS), it differs in its exposure method and the data exposed, limiting itself to data from obsolete records.
About vulnerability
The identification of “RFDS” was carried out by Intel engineers during an internal audit, although no detailed information has been provided On the method of its exploitation, Intel engineers have pointed out that the attacker cannot intentionally control the selection of processes for data extraction, which implies that the exposure of information available for recovery is random. However, exploitation of RFDS by a malicious actor who can execute code locally on a system could lead to the inference of secret data values previously used in logs, potentially compromising the security and confidentiality of the information.
RFDS was discovered as part of Intel's extensive internal validation work on microarchitectural security. Similar to data sampling transient execution attacks, such as microarchitectural data sampling (MDS), RFDS can allow a malicious actor who can execute code locally on a system to infer secret data values that would otherwise be available. protected by architectural mechanisms. RFDS differs from MDS vulnerabilities in both the exposure method and the exposed data (RFDS exposes only stale log data). Neither MDS nor RFDS, alone, give malicious actors the ability to choose what data is inferred using these methods.
It is mentioned that these leaks affect the vector registers used in encryption, memory copy functions, and string processing, as in the memcpy, strcmp, and strlen functions. Also Leakage possible through registers to store floating point numbers and integers, although they are updated more frequently during task execution, reducing the likelihood of leaks through them. Importantly, residual data does not remain directly in the registers, but can be extracted from the register files using side-channel attack techniques, such as scraping data into the CPU cache.
RFDS exclusively affects Atom processors based on microarchitectures Alder Lake, Raptor Lake, Tremont, Goldmont and Gracemont. These processors do not support HyperThreading mode, which limits data leakage to one execution thread within the current CPU core. Changes to address this vulnerability are included in the microcode update microcode-20240312-staging.
Protection methods against this vulnerability are similar to those used to block previously identified attacks, such as MDS, SRBDS, TAA, DRPW (Device Register Partial Write), and SBDS (Shared Buffer Data Sampling) attacks.
To protect against kernel and hypervisor leaks, in addition to updating microcode, it is necessary to use software protection methods that involve the use of the VERW instruction to clear the contents of microarchitectural buffers when returning from the kernel to user space or when transferring control to the guest system. This protection has already been implemented in the Xen hypervisor and the Linux kernel.
To enable protection in the Linux kernel, you can use the “reg_file_data_sampling=on» when loading the kernel. Information about the vulnerability and the presence of the microcode necessary for protection can be evaluated in the file «/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling«.
Finally, if you are interested in knowing more about it, you can consult the details in the following link.