Researchers at IBM and VU Amsterdam have developed a new attack that exploits speculative execution mechanisms in modern computer processors to bypass checks in operating systems against so-called race conditions.
The attack exploits a vulnerability (CVE-2024-2193) that researchers have discovered that affects Intel, AMD, ARM and IBM processors. It works with any operating system, hypervisor, and software that implements synchronization primitives or built-in checks against race conditions. The researchers dubbed their attack “GhostRace” and described it in a technical paper published this week.
“Our key finding is that all common synchronization primitives can be circumvented at the microarchitectural level on speculative paths, transforming all critical architecturally raceless regions into speculative competition (SRC) conditions,” the researcher explained. the researchers said.
Speculative execution bugs persist despite scrutiny
A race condition, as the researchers explain in their paper, can occur when two or more processes, or threads, attempt to access a shared computing resource, such as memory locations or files, at the same time. This is a relatively common cause of data corruption and vulnerability that leads to memory leaks, unauthorized access, denial of service, and security bypasses.
To mitigate the problem, operating system vendors have implemented so-called speculative primitives in their software that controls and synchronizes access to shared resources. Primitives, which have names like “mutex” and “spinlock,” work to ensure that only one thread can access or modify a shared resource at a time.
What researchers at IBM and VU Amsterdam discovered was a way to circumvent these mechanisms by targeting speculative execution or out-of-order processing functionality in modern processors. Speculative execution basically involves a processor predicting the outcome of certain instructions and executing them in advance instead of executing them in the order received. The goal is to speed up processing time by having the processor work on subsequent instructions even while waiting for the result of previous instructions.
Speculative execution burst into the spotlight in 2017, when researchers discovered a way to exploit the technique access sensitive information in system memory – such as passwords, encryption keys and emails – and use that data for further attacks. The so-called Specter and Meltdown vulnerabilities have affected virtually all modern microprocessors and have prompted a review of the microprocessor architecture which in many ways is still ongoing.
As part of an effort to help microprocessor designers and other interested parties better protect processors from vulnerabilities like Specter and Meltdown, MITER in February 2024 launched four new Common Weakness Enumerators (CWEs) that describe and document the various weak points of the microprocessor.
A new twist on a known exploit
The attack developed by researchers from IBM and VU Amsterdam is based on conditional branch speculation similar to a Specter type of attack. “Our key finding is that all common (write-side) primitives (i) lack explicit serialization and (ii) protect the critical region with a conditional branch,” the researchers said. In other words, they found that when synchronization primitives use a conditional “if” statement to control access to shared resources, they are vulnerable to a speculative execution attack.
“In an adversarial speculative execution environment, i.e., with a Specter attacker that poorly trains the conditional branch, these primitives essentially behave like a no-op,” they noted. “The security implications are significant, as an attacker can speculatively execute all critical regions in the victim’s software without synchronization.”
In a blog post, the researchers noted that they have informed all major hardware vendors of their discovery, and that the vendors, in turn, have notified all affected operating system and hypervisor vendors. All the sellers recognized the problem, the researchers said.
In a consultation, AMD recommended that software developers follow his previously published guide on how to protect yourself from Ghost-type attacks.