A team of researchers has discovered a new data exfiltration attack that affects modern CPU architectures that support speculative execution.
dubbing ghost race (CVE-2024-2193), which is a variant of the transient execution CPU vulnerability known as Specter v1 (CVE-2017-5753). This approach combines speculative execution and race conditions.
“All common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using branch misprediction attacks, turning all architecturally race-free critical regions into speculative race conditions (SRCs), allowing the attack The attacker leaks information from the target,” the researchers said.
The findings are from IBM Research Europe’s System Security Research Group and VUSec, which in December 2023 revealed another side-channel attack called SLAM, targeting modern processors.
Specter refers to a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in memory and bypass isolation protections between applications.
While speculative execution is a performance optimization technique used by most CPUs, Specter attacks exploit the fact that mispredictions leave traces of memory accesses or calculations in the processor cache.
Researchers behind the Specter attack noted in January: “Spectre attacks trick victims into speculatively performing operations that would not occur during the processing of strictly serialized program instructions, exfiltrating the victim’s confidential information through covert channels. To the opponent. 》2018.
GhostRace is noteworthy because it enables an unauthenticated attacker to exploit a race condition to extract arbitrary data from the processor, thereby gaining access to a speculative executable code path via a so-called speculative concurrent use-after-free (SCUAF) attack.
A race condition is an undesirable situation that occurs when two or more processes attempt to access the same shared resource without proper synchronization, resulting in inconsistent results and opening the door for attackers to perform malicious actions. window of opportunity.
“In terms of characteristics and exploitation strategies, SRC vulnerabilities are similar to classic race conditions,” the CERT Coordination Center (CERT/CC) explained in an advisory.
“The difference, however, is that the attacker exploits the race condition on a transient execution path originating from a misspecified branch (similar to Specter v1), with a malicious code snippet or gadget that ultimately leaks information to the attacker. Target.”
The end result is that it allows an attacker with access to CPU resources to access arbitrary sensitive data from host memory.
“Any software, such as operating systems, virtual machine hypervisors, etc., that implements synchronization primitives through conditional branches without any serialization instructions in that path, and in any microarchitecture (e.g., x86, ARM, RISC-V, etc. ), which allows speculative execution of conditional branches that are vulnerable to SRC,” VUSec said.
Following Responsible Disclosure, AMD said its existing guidance for Specter “remains applicable to mitigating this vulnerability.” The maintainers of the Xen open source hypervisor acknowledge that all versions are affected, although they say it is unlikely to pose a serious security threat.
Xen said: “Out of an abundance of caution, the Xen security team has provided a hardening patch that includes adding a new LOCK_HARDEN mechanism on x86, similar to the existing BRANCH_HARDEN.”
“Due to the uncertainty of the vulnerability under Xen and the uncertainty of the performance impact, LOCK_HARDEN is turned off by default. However, we anticipate more research in this area and believe it is prudent to take mitigation measures. “
