The VUSec cybersecurity group at the VU Amsterdam university in the Netherlands has presented a new variation of the Spectre v2 attack targeting Intel processors.
When the Spectre and Meltdown CPU attacks were disclosed in 2018, the variant that was named the most dangerous was Spectre v2 or Spectre BTI (Branch Target Injection). CPU makers and others have been developing hardware and software mitigations, but researchers keep finding new ways to conduct these attacks.
Spectre-style attacks typically allow an attacker who has access to the targeted system to obtain potentially valuable information, such as encryption keys and passwords, from memory.
In 2022, VU Amsterdam researchers detailed an extension of Spectre v2, dubbed Branch History Injection (BHI) that was able to bypass hardware mitigations due to the attack surface being much more significant than vendors had originally assumed.
This week, the VUSec group made public the findings of new related research — partially funded by Intel — detailing what they have described as the first native Spectre-v2 exploit targeting the Linux kernel. VUSec researchers showed that the attack works against the latest Intel CPUs, demonstrating the ability to leak arbitrary kernel memory at a rate of 3.5 Kb/sec.
In a Spectre v2 attack, an unprivileged attacker lures the kernel into speculatively jumping to a so-called gadget that leaks data to the attacker. Attacks have been prevented by ensuring that no exploitable kernel gadgets are available.
However, the researchers have developed a new tool, named InSpectre Gadget, that can identify new Linux kernel gadgets that can be exploited.
“Our tool performs generic constraint analysis and models knowledge of advanced exploitation techniques to accurately reason over gadget exploitability in an automated way,” the researchers explained. “We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations.”
They have published a video showing how the new native BHI attack can be used to leak the root password hash on a system powered by a 13th Gen Intel Core processor.
In response to this research, Intel has updated its original guidance for BHI to share information on mitigation methods that customers can currently implement.
“Future processors are expected to mitigate BHI attacks in hardware,” Intel says.
Related: Future Intel, AMD and Arm CPUs Vulnerable to New ‘SLAM’ Attack
Related: ZenHammer Attack Targets DRAM on Systems With AMD CPUs
Related: Major CPU, Software Vendors Impacted by New GhostRace Attack