Academic researchers have disclosed the details of a new type of attack targeting modern CPUs, particularly future products from Intel, AMD and Arm.
The attack has been named SLAM, which stands for ‘Spectre based on Linear Address Masking’, and it was discovered by researchers at VUSec, the systems and network security group at the VU Amsterdam university in the Netherlands.
The researchers’ goal was to demonstrate that upcoming hardware-based security features such as Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI) and Arm’s Top Byte Ignore (TBI), which should enable the implementation of fast security checks, can actually increase the surface for Spectre attacks.
Spectre is one of the original transient execution CPU vulnerabilities, which can expose potentially sensitive information from memory, such as encryption keys and passwords, to side-channel attacks.
According to the researchers, SLAM impacts some current AMD processors, as well as future Intel, AMD and Arm CPUs that will support LAM, UAI and TBI.
The experts demonstrated their findings by developing an end-to-end Spectre exploit targeting LAM on upcoming Intel processors.
The exploit focuses on the more recent Spectre BHI attack variant, which bypasses some of the hardware mitigations implemented in response to the original Spectre, and abuses various gadgets in the latest Linux kernel to leak the root password hash from kernel memory within minutes.
Intel, AMD and Arm have been informed about the SLAM attack. Intel, one of the sponsors of the research, said it plans to provide software guidance prior to the release of CPUs that support LAM. In addition, Linux developers created patches to disable the security feature by default until guidance becomes available.
Arm has published a security advisory to inform customers about the attack, but noted that existing mitigations for Spectre v2 and Spectre BHI should prevent exploitation.
The researchers said AMD also claims existing Spectre v2 mitigations should prevent exploitation and the company has not released further guidance.