New Research on Speculative Execution Attacks: AMD, Intel, ARM, IBM Processors Vulnerable
There has been a lot of research conducted to determine the root cause of speculative execution attacks against modern processors and as it turns out the recently released research paper by the researchers at the Graz University of Technology explains the exploitation of pre-fetching effect more accurately than the previously published papers. It clearly states that the underlying root cause was misattributed in the previous works.
The pre-fetch instruction does not actually pre-fetch kernel addresses into the cache, and it has lead to the drawing of incorrect conclusions which has resulted in the adoption of incorrect and inefficient mitigation techniques.
In Fact, it has been found that the exploitation of the effect is caused by speculative dereferencing of user-space registers in the kernel. The pre-fetching effect is unrelated to software pre-fetch instructions or hardware pre-fetching effects due to memory accesses.
The research focuses on a specific code path containing a spectre BTB gadget, which is chosen because it can be reliably triggered on both Linux and Windows. The researchers have demonstrated that an attacker can observe caching of the address stored in a register of different context.
Findings
The research has found that actual data can be leaked through Spectre Prefetch gadgets which are responsible for fetching data from the last level cache to higher levels. The data leaked is not just from internal buffers but arbitrary data from memory.
Speculative execution is the underlying cause of the attack as per the researchers and therefore can have an effect on CPUs from hardware vendors like AMD, ARM and IBM. JavaScript can also be used to trigger these effects in browsers, enabling the attackers to leak the physical addresses of the JavaScript variable.
For systematically analyzing the effect, the leakage capacity was investigated by implementing a cross-covert channel which works without shared memory. A technique named Dereference Trap is presented to leak the values of registers used in the SGX via speculative dereferencing.
The paper talks about the transition from address-translation attacks to Foreshadow L3. In the address-translation attack, the attacker tries to verify whether two virtual addresses map to the same physical address. The limitation imposed on this attack is the probability of the guessed address being pre-fetched. So, the attack performance is measured in successful fetches per second, the more the fetches per second, less time to mount the attack. The paper elaborately describes the requirements for the address-translation attack to succeed, and every hypothesis is tested for drawing conclusions.
Other findings constituted that it is possible to fetch addresses from hypervisors into the cache from the guest operating system by triggering interrupts, enabling Foreshadow (L1TF) on data from the L3 cache. The research also showed that even when Foreshadow mitigations are enabled ( and the unrelated Spectre-BTB mitigations are disabled), Foreshadow attacks on data from the L3 cache are possible.
Mitigations
In talking about the mitigation techniques, the researchers emphasized on enabling Spectre-BTB mitigations, including retpoline on current CPUs to fully mitigate high impact micro-architectural attacks such as Foreshadow.
