{"id":45633,"date":"2022-03-08T22:36:00","date_gmt":"2022-03-08T22:36:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/new-attack-bypasses-hardware-defenses-for-spectre-flaw-in-intel-and-arm-cpus\/"},"modified":"2022-03-08T22:36:00","modified_gmt":"2022-03-08T22:36:00","slug":"new-attack-bypasses-hardware-defenses-for-spectre-flaw-in-intel-and-arm-cpus","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-attack-bypasses-hardware-defenses-for-spectre-flaw-in-intel-and-arm-cpus\/","title":{"rendered":"New attack bypasses hardware defenses for Spectre flaw in Intel and ARM CPUs"},"content":{"rendered":"
<\/div>\n

The hardware-based mitigations introduced in Intel and ARM CPUs over the past few years to fix a serious flaw called Spectre are not as strong as believed. Researchers have devised a new attack method that can defeat the defenses, but exploitation is not as easy as with the original flaw.<\/p>\n

The new attack<\/a>, discovered by researchers from the Systems and Network Security Group at VU Amsterdam (VUSec) is called Spectre-BHI, for Branch History Injection, or Spectre-BHB, for Branch History Buffer, because Intel and ARM assigned different names to it. According to the research team, it is an extension of the 2017 Spectre version 2 attack, also known as Spectre-BTI (Branch Target Injection) and, similarly to Spectre v2, can result in the leak of sensitive information from the privileged kernel memory space.<\/p>\n

The proof-of-concept exploit created by the VUSec researchers leaks the hash of the root password from the \/etc\/shadow file by using an unprivileged account. The \/etc\/shadow file is a system file on Linux that is only accessible to the root administrative account. Essentially, the exploit forces the kernel to load the file into memory, where it would normally be protected from access by unprivileged processes, but then leverages the Spectre-BHI attack to access and leak its contents. This is a major security breach of the fundamental security boundary in modern operating systems that separates usermode applications and memory space from privileged kernel memory space.<\/p>\n

What is Spectre?<\/strong><\/h2>\n

Spectre<\/a> is a class of security vulnerabilities, originally disclosed by January 2017, that stem from a performance-related feature of modern CPUs called speculative execution where the CPU tries to predict in advance which path a program’s execution will take when it reaches a conditional branch and execute instructions on that path in advance. If the prediction, which is based on internal algorithms, turns out to be bad, the results stored in temporary CPU caches are discarded. Speculative execution attacks like Spectre, and many others that followed, trick this mechanism to leak information from temporary caches that act as side channels.<\/p>\n

“Back in the days when Spectre was found, you could easily exploit Branch Target Injection (BTI or Spectre-v2), the most dangerous Spectre variant, across privilege levels,” the VUSec researchers explain. “For example, an unprivileged userland attacker could feed any branch target to the indirect branch predictor from userland and trick the kernel into speculatively jumping into the injected target code location and executing the code found there.”<\/p>\n

To mitigate the risk, software vendors such as Google and the Linux kernel developers came up with software-based solutions such as retpoline. While these were effective, they introduced a significant performance hit, so CPU vendors later developed hardware-based defenses. Intel’s is called EIBRS and ARM’s is called CSV2.<\/p>\n