Johannes Wikner and Kaveh Razavi of the Swiss Federal Institute of Technology in Zurich published a report on Friday detailing a cross-process Specter attack method that can perform Address Space Layout Randomization (ASLR). go and the password root hash to drop the User ID Set (suid) process. Researchers say they have successfully carried out such an attack.
Ghost attacks refer to a family of attacks caused by the way a processor performs speculative execution, a performance optimization technique that performs calculations in advance. The results of the work can be used when needed, otherwise they will be removed.
Branch prediction is a form of speculative execution that modern processors use to predict the path a program will take. It is related to branch target prediction, which tries to predict the target address of the next instruction to be executed in a particular branch.
Specter attacks attempt to make branch predictors make incorrect predictions so that it accesses out-of-bounds memory that contains sensitive information such as passwords or encryption keys when the processor sends the instruction appropriate action. By manipulating the memory location where these secrets are stored, the attacker can ingest these secrets by monitoring side channels such as CPU cache accesses and power changes.
The purpose of the Indirect Branch Predictor Barrier (IBPB) is to protect against the Specter v2 attack (CVE-2017-5715) on x86 Intel and AMD chips. The purpose of IBPB is to prevent the prediction of previously learned indirect branch targets for speculative execution.
Apparently, the barrier was not working properly.
“We have found a microcode bug in recent Intel microarchitectures, such as Golden Cove and Raptor Cove, present in 12th, 13th, and 14th generation Intel Core processors and 5th and 6th generation Xeon processors. used after IBPB invalidates,” explained Wikner. “This idea behind the barrier allows an attacker to bypass the security parameters set by the process context and a virtual machine involved.”
Weckner and Razavi also managed to migrate arbitrary core memory from unoptimized processors on AMD chips built using the Zen 2 architecture.
Videos of the Intel and AMD attacks have been released, showing the technical details of expected command line interactions.
Intel chips, including Intel Core 12th, 13th, and 14th generations and Xeon 5th and 6th generations, can be vulnerable to attacks. This issue may affect Linux users on AMD Zen 1 (+) and Zen 2 hardware.
Details were revealed in June 2024, but Intel and AMD discovered the issue independently.
Intel fixed this issue in a microcode patch (INTEL-SA-00982) released in March 2024. However, some Intel hardware may not have received this microcode update yet.
“However, at the time of writing this article, this microcode update is not available in the Ubuntu repository,” Weckner and Razavi observed in their technical summary.
Ubuntu seems to have subsequently addressed this issue.
AMD issued its own advisory in November 2022 security bulletin AMD-SB-1040. The company noted that hypervisor and/or operating system vendors will have to make their own improvements.
“Since the issue is known to AMD and identified as AMD-SB-1040, AMD will treat this issue as a software bug,” the researchers explained. “We are currently working with Linux core maintainers to introduce the software solutions we recommend.”
