At the beginning of 2018 the discovery of vulnerability known by the names Specter and Meltdown, it represented a turning point in the field of computer security and processor architecture. These vulnerabilities revealed a fundamental flaw in modern CPUs, related to the use of so-called speculative execution to optimize performance.
Speculative execution, as we have repeatedly noted, is a technique that allows processors to anticipate future instructions and to execute them before they are actually called. The approach, which leads to clear performance benefits, however, has paved the way for the discovery of a large number of side-channel attacks in processors. In the years that followed, countless similar vulnerabilities gradually came to light.
Although speculative execution improves performancecan facilitate the use of a “side channel” (side-channel, in fact) to extract confidential information. THE side-channel attackin fact, do not focus directly on software manipulation or the data themselves, but rather exploit behaviors or physical properties of the system to extrapolate material that should instead remain well guarded.
Specter V2, attack affecting Intel CPUs and Linux systems
A group of researchers has identified a new exploit that exploits vulnerabilities in speculative execution. Spectre v2 represents a variant of the security flaw discovered in 2018.
This time the security flaw affects the systems Linux based on CPU IntelAgain, attackers can exploit this to extract information from the cache and get their hands on important data (such as account passwords, cryptographic keys, personal and confidential data, software code, and more).
The presented approach exploits two attack methods: Branch Target Injection (BTI), which involves the manipulation of the balance forecast (think of the clauses if...then...else of programs) in order to carry out unauthorized routes, e Branch History Injection (BHI). This last method intervenes on branch historyto cause speculative execution of portions of code choices, leading to the disclosure of confidential data.
The branch history refers to the record of decisions made by branch prediction units within a CPU during the execution of a program. In modern processors, the instruction flow of a program can be influenced by control structures, such as conditional branches (“if”, “else”, “while” statements, and so on). The forecast units branches, available within the CPU, try to predict what the result of each jump will be based on the previous history.
Insufficient defense techniques to block Specter V2 attacks
Intel has already acknowledged the security issues in question in the past: the BTI and BHI vulnerabilities are classified with the identifiers CVE-2022-0001 and CVE-2022-0002, respectively.
The fact is that the new exploits extend the base of affected systems and directly affect the Linux kernel. Linux Foundationfor example, noted that new security threats will be followed up by the Linux kernel development team.
The study just shared demonstrates that the mitigation techniques existing ones, such as disabling privileged eBPF and enabling (Fine)IBT, are not sufficient to stop the exploitation of the BHI attack method against the Linux-based kernel/hypervisor.
eBPF is a technology that allows you to run custom code within the Linux kernel. Disabling the privilege means limiting what eBPF code can do on the system. The activation of (Fine)IBT aims to protect the system from attacks that exploit indirect branch prediction, but has proven ineffective in completely stopping attacks that exploit indirect branch prediction. branch history.
SUSE Linux confirmed the impact of the security issue while e.g Red Hat It throws water on the fire by explaining unprivileged eBPF is disabled by default on RHEL – the issue is not exploitable in standard configurations.
For a complete list of Intel processors affected by the various speculative execution vulnerabilities, you can consult this updated page.
The opening image is from Intel.