A group of researchers has discovered a new data leak attack that targets modern CPU architectures that support speculative execution.
Nicknamed GhostRace (CVE-2024-2193), is a variant of the transient execution CPU vulnerability known as Specter v1 (CVE-2017-5753). The approach combines speculative execution and tender conditions.
“All common synchronization primitives implemented using conditional branches can be circumvented at the microarchitectural level on speculative paths using a branch misprediction attack, turning all architecturally race-free critical regions into Speculative Race Condition (SRC), allowing attackers to leak information from the target,” the researcher explained. the researchers said.
Findings from the Systems Security Research Group at IBM Research Europe and VUSec, the latter of which revealed another side-channel attack called SLAM targeting modern processors in December 2023.
Specter refers to a class of side-channel attacks that leverage branch prediction and speculative execution on modern CPUs to read privileged data in memory, bypassing isolation protections between applications.
While speculative execution is a performance optimization technique used by most CPUs, Specter attacks exploit the fact that incorrect predictions leave traces of memory accesses or calculations in processor caches.
“Spectre attacks cause a victim to speculatively perform operations that would not occur during strictly serialized processing of program instructions, and which leak the victim’s sensitive information through a covert channel to the adversary,” the researchers behind the attack noted in January. Specter attack. 2018.
What makes GhostRace noteworthy is that it allows an unauthenticated attacker to extract arbitrary data from the processor by using race conditions to access speculative paths of executable code by exploiting what is called a Speculative Concurrent Use-After-Free (SCUAF) attack. .
A race condition is an unwanted situation that occurs when two or more processes attempt to access the same shared resource without adequate synchronization, thus leading to inconsistent results and opening a window of opportunity for an attacker to perform malicious actions.
“An SRC vulnerability is similar in characteristics and exploitation strategy to a classic race condition,” the CERT Coordination Center (CERT/CC) explained in an advisory.
“However, it is different in that the attacker exploits said race condition on a temporarily executed path that originates from an incorrectly speculated branch (similar to Specter v1), targeting a code snippet or a bold gadget that ultimately reveals information to the attacker.”
The end result is that it allows an attacker with access to CPU resources to access arbitrary sensitive data from the host’s memory.
“Any software, e.g. operating system, hypervisor, etc., that implements synchronization primitives across conditional branches without any serialization instructions on that path and is running on any microarchitecture (e.g. x86, ARM, RISC-V, etc. ), which allows conditional branches to be executed speculatively, is vulnerable to SRCs,” VUSec said.
Following a responsible disclosure, AMD said that existing guidance for Specter “remains applicable to mitigate this vulnerability.” Maintainers of the open source hypervisor Xen acknowledged that all versions are affected, although they said it was unlikely to pose a serious security threat.
“Out of an abundance of caution, the Xen security team has provided hardening patches, including the addition of a new LOCK_HARDEN mechanism on x86 similar to the existing BRANCH_HARDEN,” Xen said.
“LOCK_HARDEN is disabled by default, due to uncertainty as to whether a vulnerability exists in of mitigation.”