Researchers from the Vrije Universiteit Amsterdam have revealed a new side-channel attack called SLAM which can be exploited to leak sensitive information from the kernel memory of current and future CPUs from Intel, AMD, and Arm.
The attack is an end-to-end exploit for Specter based on a new feature of Intel CPUs called Linear Address Masking (LAM) as well as similar counterparts from AMD (called Above Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI).
“SLAM exploits unmasked gadgets to allow a userland process to leak arbitrary ASCII kernel data,” VUSec researchers SAYSadding it can be used to leak the root password hash within minutes from kernel memory.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
While LAM is presented as a security feature, the study found that it ironically undermines security and “dramatically” increases the Specter attack, resulting in a transient attack to kill, exploiting. speculative murder to retrieve sensitive data through a covert cache channel.
“A transient execution attack exploits the microarchitectural side effects of transient instructions, thereby allowing a malicious adversary to access information that would normally be prohibited by architectural access control mechanisms, ” Intel States in its terminology documentation.
Described as the first transient assassination attack targeting future CPUs, SLAM exploits a new covert channel based on non-canonical address translation that facilitates practical exploitation of generic Specter gadgets to triple valuable information. This affects the following CPUs –
- Existing AMD CPUs that are vulnerable to CVE-2020-12965
- Future Intel CPUs supporting LAM (both 4- and 5-level paging)
- Future AMD CPUs supporting UAI and 5-level paging
- Future Arm CPUs supporting TBI and 5-level paging
“Arm’s systems are already mitigating against Specter v2 and NHB, and consider it the software’s responsibility to protect itself against Specter v1,” Arm SAYS in an advisory. “The described methods only increase the attack surface of existing vulnerabilities such as Specter v2 or BHB by increasing the number of exploitable gadgets.”
AMD is also targeting the current Specter v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance ahead of the upcoming release of Intel processors that support LAM. In the interim, Linux maintainers have developed patches to disable LAM by default.
The findings come almost two months after the VUSec explained Quarantinea software-only method to mitigate transient execution attacks and achieve physical domain isolation by partitioning the Last level cache (LLC) to give each security domain exclusive access to another part of the LLC with the goal of eliminating LLC covert channels.
“The physical quarantine domain isolates different security domains on different cores to prevent them from sharing corelocal microarchitectural resources,” the researchers said. “Furthermore, it unshares the LLC, dividing it into security domains.”