Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Researchers Resurrect Spectre v2 Attack Against Intel CPUs

VUSec researchers resurrect Spectre v2 attack, showing that it works against the Linux kernel on the latest-generation Intel CPUs.

Intel

The VUSec cybersecurity group at the VU Amsterdam university in the Netherlands has presented a new variation of the Spectre v2 attack targeting Intel processors.

When the Spectre and Meltdown CPU attacks were disclosed in 2018, the variant that was named the most dangerous was Spectre v2 or Spectre BTI (Branch Target Injection). CPU makers and others have been developing hardware and software mitigations, but researchers keep finding new ways to conduct these attacks. 

Spectre-style attacks typically allow an attacker who has access to the targeted system to obtain potentially valuable information, such as encryption keys and passwords, from memory. 

In 2022, VU Amsterdam researchers detailed an extension of Spectre v2, dubbed Branch History Injection (BHI) that was able to bypass hardware mitigations due to the attack surface being much more significant than vendors had originally assumed.

This week, the VUSec group made public the findings of new related research — partially funded by Intel — detailing what they have described as the first native Spectre-v2 exploit targeting the Linux kernel. VUSec researchers showed that the attack works against the latest Intel CPUs, demonstrating the ability to leak arbitrary kernel memory at a rate of 3.5 Kb/sec.

In a Spectre v2 attack, an unprivileged attacker lures the kernel into speculatively jumping to a so-called gadget that leaks data to the attacker. Attacks have been prevented by ensuring that no exploitable kernel gadgets are available.

However, the researchers have developed a new tool, named InSpectre Gadget, that can identify new Linux kernel gadgets that can be exploited.

“Our tool performs generic constraint analysis and models knowledge of advanced exploitation techniques to accurately reason over gadget exploitability in an automated way,” the researchers explained. “We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations.” 

Advertisement. Scroll to continue reading.

They have published a video showing how the new native BHI attack can be used to leak the root password hash on a system powered by a 13th Gen Intel Core processor. 

In response to this research, Intel has updated its original guidance for BHI to share information on mitigation methods that customers can currently implement.

“Future processors are expected to mitigate BHI attacks in hardware,” Intel says.

Related: Future Intel, AMD and Arm CPUs Vulnerable to New ‘SLAM’ Attack

Related: ZenHammer Attack Targets DRAM on Systems With AMD CPUs

Related: Major CPU, Software Vendors Impacted by New GhostRace Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights