If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently the news was announced that a group of researchers developed a new side channel attack technique called SLAM (Spectre Linear Address Masking), which exploits Spectre-class microarchitectural vulnerabilities, where it can bypass hardware protections and expose kernel memory password hashes.
SLAM is a type of attack based on transient execution thattake advantage of memory characteristics which allow software to use untranslated data bits in 64-bit linear addresses to store kernel metadata. With that, an attacker can manipulate instructions in the code software to trigger execution in a way that reveals sensitive data, including information from various programs and even the operating system.
The threat leverages a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Specter devices to leak valuable information.
While LAM is the term used by Intel for this type of attack, it means linear address masking. Arm called it Top Byte Ignore (TBI) and AMD calls it Upper Address Ignore (UAI), but all three implement the same function differently.
As for which CPUs are affected, the researchers mention the following:
- Existing AMD CPUs vulnerable to CVE-2020-12965.
- Future Intel CPUs that support LAM (4 and 5 level paging).
- Future AMD CPUs that will support UAI and 5-level paging.
- Future Arm CPUs supporting TBI and 5-level paging.
By analogy with the exploitation of Specter vulnerabilities, A SLAM attack requires the presence of certain sequences of instructions (gadgets) andn the core that lead to speculative execution of instructions. These instructions result in a speculative reading of data from memory depending on external conditions that the attacker can influence.
Once an incorrect prediction is determined, the result of the speculative execution is discarded, but processed data remains in cache and can later be retrieved using side channel analysis. To extract the data that has been stored in the cache, the researchers They use the Evict+Reload method, which is based on creating conditions to move data from the cache (for example, creating an activity that uniformly fills the cache with typical content) and performing operations whose execution time allows judging the presence of data in the processor cache.
To carry out a SLAM attack, code-based devices are used in which data controlled by the attacker is used as a pointer. It should be noted that these code patterns are often used in programs, for example, tens of thousands of these devices have been identified in the Linux kernel, of which at least several hundred are suitable for use in exploits.
Leaks can be prevented by adding additional instructions to such devices that block speculative execution. Intel intends to provide a software anti-leak method before shipping LAM-enabled processors. AMD recommended using existing methods to block Specter v2 attacks. To protect against the attack, Linux kernel developers decided to disable LAM support by default until Intel released recommendations to block the vulnerability.
Finally, it is worth mentioning that the researchers published the implementation of the method and they provided a demonstration of how data corresponding to a given mask can be extracted from kernel memory. At the moment, This exploit is CPU independent, but it has been shown to work only on Linux, which has already created a patch to disable LAM by default until further instructions are available.
Finally, if you are interested in knowing more about it, you can consult the details in the following link