The hardware design flaws that won’t go away.<\/p>\n\n\n\n
https:\/\/www.theregister.com\/2024\/10\/18\/spectre_problems_continue_amd_intel<\/a><\/p>\n\n\n Six years after the Spectre transient execution processor design flaws were disclosed, efforts to patch the problem continue to fall short.<\/p>\n\n\n\n Johannes Wikner and Kaveh Razavi of Swiss university ETH Zurich on Friday published details<\/a> about a cross-process Spectre attack that derandomizes Address Space Layout Randomization<\/a> and leaks the hash of the root password from the Set User ID (suid) process on recent Intel processors. The researchers claim they successfully conducted such an attack.<\/p>\n\n\n\n Spectre<\/a> refers to a set of attacks made possible because of the way processors conduct speculative execution – a performance optimization technique that involves making calculations in advance. The results can be used if needed, or otherwise discarded.<\/p>\n\n\n\n Branch prediction is a form of speculative execution, and modern processors use it to make guesses about the path a program will take. It’s related to branch target prediction, which attempts to predict the target address of the next instruction to be executed in a given branch.<\/p>\n\n\n\n Spectre attacks try to make the branch predictor forward an incorrect prediction \u2013 such that when the processor executes the associated instructions, it accesses out-of-bounds memory that contains secrets like passwords or encryption keys. Subsequent operations on the memory area storing secrets may allow the attacker to infer those secrets by observing side-channels \u2013 such as CPU cache accesses and power fluctuations.<\/p>\n\n\n\n The indirect branch predictor barrier (IBPB) was intended as a defense against Spectre v2 (CVE-2017-5715) attacks on x86 Intel and AMD chips. IBPB is designed to prevent forwarding of previously learned indirect branch target predictions for speculative execution.<\/p>\n\n\n\n Evidently, the barrier wasn’t implemented properly.<\/p>\n\n\n\n “We found a microcode bug in the recent Intel microarchitectures \u2013 like Golden Cove and Raptor Cove, found in the 12th, 13th and 14th generations of Intel Core processors, and the 5th and 6th generations of Xeon processors \u2013 which retains<\/em> branch predictions such that they may still be used after IBPB should have invalidated them,” explained<\/a> Wikner. “Such post-barrier<\/em> speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines.”<\/p>\n\n\n\n Wikner and Razavi also managed to leak arbitrary kernel memory from an unprivileged process on AMD silicon built with its Zen 2 architecture.<\/p>\n\n\n\n Videos of the Intel<\/a> and AMD<\/a> attacks have been posted, with all the cinematic dynamism one might expect from command line interaction.<\/p>\n\n\n\n Intel chips \u2013 including Intel Core 12th, 13th, and 14th generation and Xeon 5th and 6th \u2013 may be vulnerable. On AMD Zen 1(+) and Zen 2 hardware, the issue potentially affects Linux users.<\/p>\n\n\n\n The relevant details were disclosed in June 2024, but Intel and AMD found the problem independently.<\/p>\n\n\n\n Intel fixed the issue in a microcode patch (INTEL-SA-00982<\/a>) released in March, 2024. Nonetheless, some Intel hardware may not have received that microcode update.<\/p>\n\n\n\n In their technical summary, Wikner and Razavi observe: “This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper.”<\/p>\n\n\n\n It appears Ubuntu has subsequently dealt with the issue<\/a>.<\/p>\n\n\n\nThe indirect branch predictor barrier is less of a barrier than hoped<\/h5>\n\n\n\n