Side-channel attacks against processors are once again the protagonists of an academic study that brings to light a security gap in Intel, AMD and ARM processors.
A group of researchers from Vrije University in Amsterdam have identified a “weakness” in the hardware features designed for improve safety of future CPUs. Taking advantage of theSLAM attackthis is its name, it is possible to obtain the hash of the password di root tapping into the contents of kernel memory.
What is SLAM attack
And “transient execution attack” (transient execution attack) leverages the mechanism of speculative execution typical of modern processors to access confidential information or to influence the state of the system so as to cause unexpected and potentially harmful behavior.
The researchers explain that SLAM primarily impacts future CPUs that meet specific criteria. Despite advanced features implemented in hardware (LAM, UAI and TBI) which aim to increase the security level and improve memory management, they also introduce race condition which are exploitable.
Linear Address Masking (LAM) is a feature implemented by Intel in its processors to allow software to use address bits not translated into 64-bit linear addresses for the purpose of storing metadata; Upper Address Ignore (UAI) from AMD allows, much like LAM, to ignore specific bits; Top Byte Ignore (TBI) of ARM is a function similar to the previous ones to ignore part of the memory addresses.
Overall, the three solutions allow certain address bits to be used for purposes other thanmemory addressing. These features allow metadata to be stored within the address itself, offering benefits such as memory savings and improved performance for some applications.
Learn more about how the attack works
The attack uses a new technique transitional execution which focuses on the use of so-called gadget, instructions in software code that an attacker can manipulate to trigger speculative execution to reveal secret information. Although the results of thespeculative execution are discarded, in fact, the process leaves traces such as altered cache states, which attackers can observe to derive important data, such as those coming from various programs or the operating system.
The researchers developed a scanner with which they detected hundreds of gadget exploitable in the Linux kernel. In this video published on YouTube, the SLAM attack allows the release of thepassword hash of root by tapping into the kernel memory.
Reactions from CPU manufacturers
In response to the discovery of the SLAM attack, Intel announced plans to share a set of guidelines before the release of future CPUs that support LAM. In particular, the technicians of Pat Gelsinger’s company will explain how to use Linear Address Space Separation (LASS) to prevent speculative address accesses between user and kernel mode.
The engineers responsible for the development and maintenance of the kernel Linux in the meantime they have created a patch to disable LAM, awaiting further developments.
AMD has summarized the current countermeasures adopted against Specter v2 which also proved useful in addressing the SLAM attack. However, it has not yet provided any indications or updates to further reduce any risks.
ARM, for its part, published a note explaining that its systems already contain solutions capable of mitigating the effects of Specter v2 and Specter-BHB. No further action is planned following the discovery of SLAM.